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TO  AUDIT  OFFICIALS  AND  OTHERS  INTERESTED  IN 
GOVERNMENT  AUDITING  STANDARDS 


GAO  invites  your  comments  on  the  accompanying  proposed  changes  to  Government  Auditing 
Standards  (GAGAS),  commonly  known  as  the  “yellow  book.”  These  changes  propose  revision 
throughout  the  entire  set  of  standards  except  for  the  second  general  standard,  independence,  which 
is  being  revised  separately.  The  proposed  revisions  fall  into  three  categories:  GAGAS  framework, 
consistent  application  of  the  standards  where  applicable  to  the  various  types  of  audits,  and 
strengthening  or  streamlining  the  standards.  This  letter  describes  the  process  followed  in  revising 
the  standards,  summarizes  proposed  major  changes,  outlines  the  format  of  this  exposure  draft,  and 
requests  comments  from  interested  parties  on  these  proposed  revisions. 

To  help  ensure  that  the  standards  continue  to  meet  the  needs  of  the  audit  community  and  the  public 
it  serves,  the  Comptroller  General  of  the  United  States  appointed  the  Advisory  Council  on 
Government  Auditing  Standards  to  review  the  standards  and  recommend  necessary  changes.  The 
Advisory  Council  includes  experts  in  financial  and  performance  auditing  drawn  from  all  levels  of 
government,  private  enterprise,  public  accounting,  and  academia.  Public  comment  is  requested  on 
all  draft  revisions  to  the  standards.  This  exposure  draft  reflects  the  Advisory  Council’s  advice  to 
the  Comptroller  General. 

To  assist  you  in  developing  your  comments,  this  letter  discusses  the  proposed  GAGAS  framework 
and  encloses  a  listing  of  the  proposed  changes  to  GAGAS  made  for  consistent  application  of  the 
standards  or  for  strengthening  or  streamlining  the  standards. 

The  types  of  audits  and  services  and  applicable  standards  are  organized  by  separate  chapters  for 
financial  audits,  attestation  engagements,  and  performance  audits  in  order  to  make  the  standards 
user  friendly.  For  example,  the  financial  audit  and  attestation  chapters  are  directed  at  auditors  with 
a  financial  audit  background  and  the  required  knowledge  of  the  American  Institute  of  Certified 
Public  Accountants’  (AICPA)  Generally  Accepted  Auditing  Standards  (GAAS)  and  Attestation 
Standards.  The  performance  audit  chapters  are  written  to  avoid  use  of  terminology  drawn  from 
financial  audits. 

The  financial  audit  presentation  proposes  retaining  the  current  format  of  separate  chapters  for  field 
and  reporting  standards.  The  term  financial  audit  is  defined  to  include  financial  statement  audits 
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and  other  services  covered  by  GAAS  and  the  AICPA’s  Statements  on  Auditing  Standards  (SASs), 
which  interpret  the  standards.  These  other  services  are  defined  in  the  SASs  and  include  areas  such 
as  special  reports,  reviews  of  interim  financial  information,  letters  to  underwriters  and  certain  other 
requesting  parties,  compliance  auditing,  and  audits  of  service  organizations. 

Attestation  engagements  are  defined  as  those  services  performed  under  the  AICPA’s  Attestation 
Standards  and  the  related  Statement  on  Standards  for  Attestation  Engagements  (SSAEs),  which 
interpret  the  standards.  As  the  proposed  additional  GAGAS  standards  are  fewer  than  for  financial 
audits,  the  field  and  reporting  standards  are  presented  in  a  single  chapter. 

GAGAS  proposes  recognizing  the  overlap  between  attestation  engagement  objectives  and 
performance  audit  objectives  and  allowing  the  services  that  overlap  to  be  performed  under  either  set 
of  standards.  Therefore,  GAGAS  simply  proposes  to  recognize  the  reality  of  current  practice. 
Namely,  performance  auditors  provide  these  services  using  performance  audit  standards,  and 
financial  auditors  are  likely  to  provide  these  services  using  the  attestation  standards.  We  are  not 
aware  of  any  problems  that  have  arisen  as  a  result  of  this  practice. 

The  presentation  of  the  financial  audit  chapters  proposes  eliminating  the  term  “financial  related 
audits”  by  specifically  recognizing  the  services  in  addition  to  financial  statement  audits  that  are 
covered  by  the  AICPA’s  Statements  on  Auditing  Standards  in  chapters  4  and  5  or  by  the  Statement 
on  Standards  for  Attestation  Engagements  in  chapter  6.  The  term  “financial  related  audits”  was  the 
source  of  considerable  confusion  to  the  users  of  GAGAS.  By  specifically  recognizing  the  services 
covered  by  the  AICPA’s  SASs  and  SSAEs,  we  have  proposed  clarifying  what  in  fact  was  intended 
by  this  term,  but  not  always  understood  by  the  users  of  GAGAS. 

The  proposed  changes  related  to  performance  audits  retain  the  current  presentation  of  separate 
chapters  for  field  and  reporting  standards.  The  Advisory  Council  has  recognized  that  GAGAS 
applicable  to  the  performance  audit  objectives  of  effectiveness,  economy  and  efficiency,  internal 
control,  and  compliance  are  also  applicable  to  prospective  analyses,  guidance,  or  summary 
information.  Therefore,  we  have  proposed  including  that  latter  objective  in  the  definition  of 
performance  audits,  as  discussed  in  chapter  2,  and  in  the  presentation  of  field  work  and  reporting 
standards,  in  chapters  7  and  8,  applicable  to  the  various  objectives  of  performance  audits.  We 
believe  this  is  a  more  logical  and  user  friendly  presentation  than  having  a  separate  chapter 
discussing  the  field  work  and  reporting  standards  for  these  objectives  that  would  only  tell  the 
auditor  to  follow  the  same  standards  applicable  to  other  types  of  perfonnance  audit  objectives. 

Chapter  2  of  this  exposure  draft  discusses  nonaudit  services  provided  by  audit  organizations  that  are 
not  covered  by  GAGAS.  These  services  generally  differ  from  financial  audits,  attestation 
engagements,  and  performance  audits  in  that  auditors  may  (1)  provide  information  or  data  to  a 
requesting  party  without  providing  verification,  analysis,  or  evaluation  of  the  information  or  data, 
and  therefore  the  work  does  not  usually  provide  a  basis  for  conclusions,  recommendations,  or 
opinions  on  the  information  or  data,  or  (2)  perform  tasks  requested  by  management  that  directly 
support  the  entity’s  operations,  such  as  asset  evaluation,  actuarial  services,  or  information  system 
design  services.  Audit  organizations  are  encouraged  to  establish  policies  for  maintaining  the 
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quality  of  this  type  of  work.  This  exposure  draft  does  not  discuss  the  impact  of  the  provision  of 
nonaudit  services  on  auditor  independence.  That  issue  was  addressed  in  the  May  2001  exposure 
draft  and  comments  are  currently  being  considered. 

As  previously  stated,  we  are  enclosing  a  numbered  listing  of  the  more  significant  proposed  changes 
made  to  the  chapters  for  consistent  application  of  GAGAS  and  the  proposed  changes  made  to 
strengthen  or  streamline  GAGAS.  The  enclosure  includes  a  reference  to  the  applicable  proposed 
revised  paragraph(s)  of  GAGAS.  The  enclosure  does  not  include  the  proposed  reorganization  of 
the  order  of  presentation  to  provide  a  more  logical  grouping  of  the  standards  by  function,  such  as 
planning,  audit  documentation,  report  content,  and  the  audit  process.  This  proposed  type  of  change 
was  primarily  made  to  the  presentation  of  the  performance  audit  chapters. 

Given  the  extensiveness  of  the  proposed  revisions,  we  plan  to  issue  a  new  version  of  GAGAS  that 
will  incorporate  existing  amendments.  We  expect  this  revision  of  the  standards  to  supersede  the 
1994  revision,  including  amendments  1  and  2.  Thereafter,  we  intend  to  continue  our  policy  of 
issuing  amendments  addressing  specific  issues  as  needed.  We  anticipate  this  revision  of  the 
standards,  when  finalized,  will  become  effective  for  financial  audits  of  periods  ending  on  or  after 
January  1,  2003,  and  for  attestation  engagements  and  performance  audits  beginning  on  or  after 
January  1,  2003. 

This  draft  is  being  sent  to  financial  management  and  audit  officials  at  all  levels  of  government,  the 
public  accounting  profession,  academia,  professional  organizations,  and  public  interest  groups.  We 
encourage  you  to  send  your  comments,  whether  you  wish  to  comment  on  the  entire  document  or 
only  a  portion  of  it.  It  would  be  helpful  to  key  your  comments  to  the  specific  paragraph  numbers, 
give  your  rationale  for  any  proposed  changes,  and  suggest  revised  language. 

Additional  copies  of  this  exposure  draft  can  be  obtained  from  the  U.S.  General  Accounting  Office, 
Room  1100,  700  4“^  Street,  NW,  Washington,  DC  20548  or  by  calling  (202)  512-6000. 

A  marked  version  of  the  exposure  draft  is  available  on  the  Internet  on  GAO’s  Home  Page 
twww.  gao.  gov/govaud/vbkO  1  .htm J .  In  the  marked  version,  italicizing  and  bolding  are  used  to 
identify  potential  added  language  and  striking-out  is  used  to  identify  potential  deleted  language 
from  the  1994  revision  of  Government  Auditing  Standards,  as  currently  amended. 

Since  GAO  is  still  experiencing  delays  in  mail  delivery,  it  would  be  preferable  if  you  sent  your 
comments  via  e-mail  to  vellowbook@gao.gov.  To  ensure  that  your  comments  are  considered  by 
the  Advisory  Council  in  their  deliberations,  please  submit  them  by  April  30,  2002.  If  you  need  to 
use  the  mail,  it  would  be  helpful  if  you  sent  your  comments  both  in  writing  and  on  diskette  (in 
Word  or  ASCII  format).  Please  send  any  mail  to  the  following  address: 

Government  Auditing  Standards  Comments 
U.S.  General  Accounting  Office 
Room  5X16  (FMA) 

441  G  Street,  NW 
Washington,  DC  20548 
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If  you  need  additional  information,  please  call  Marcia  Buchanan,  Assistant  Director,  Financial 
Management  and  Assurance  at  (202)  512-9321  or  Cheryl  Clark,  Assistant  Director,  Financial 
Management  and  Assurance  at  (202)  512-9377. 

Sincerely  yours, 

Jeffrey  C.  Steinhoff 
Managing  Director 

Financial  Management  and  Assurance 
Enclosures 
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Enclosure 


Enclosure 


Proposed  changes  made  for  consistent  application  of  GAGAS  where  applicable: 

1.  For  attestation  engagements:  require  the  additional  GAGAS  field  work  standards  for  auditor 
communication  for  all  levels  of  work  (par.  6. 5-6. 6);  follow-up  (par.  6.8-6.10);  audit 
documentation  (par.  6.1 1-6.17);  internal  control  for  examination  level  work  (par.  6.18-6.19); 
and  fraud,  illegal  acts,  and  other  noncompliance  for  examination  level  work  (par.  6.20-6.22) 

2.  For  attestation  engagements:  require  additional  GAGAS  reporting  standards  for  reporting 
compliance  with  GAGAS  (par.  6.25-6.27);  reporting  on  internal  control  and  on  fraud,  illegal 
acts,  and  other  noncompliance  when  the  work  identifies  deficiencies  for  all  levels  of 
attestation  engagements  (par.  6.28-6.31);  views  of  responsible  officials  (par.  6.32-6.36); 
privileged  and  confidential  information  (par.  6.37-6.38);  and  report  issuance  and  distribution 
(par.  6.39-6.43) 

3.  For  performance  audits:  add  a  requirement  that  when  using  the  work  of  a  specialist, 
performance  auditors  be  able  to  articulate  the  speeialist’s  objectives,  evaluate  procedures 
used,  and  evaluate  the  results  of  the  proeedures  or  use  another  specialist  for  these  purposes 
(par.  7.30-7.31) 

4.  For  performanee  audits:  add  requirements  eonsistent  with  Amendment  No.  1,  requiring 
documentation  of  deeisions  related  to  internal  eontrol  over  data  significantly  dependent  on 
computerized  information  systems  (par.  7.57),  and  Amendment  No.  2,  Auditor 
Communieation  (par.  7.32-7.33) 

Proposed  changes  in  requirements  to  strengthen/streamline  GAGAS 

5.  Require,  as  part  of  the  due  care  standard,  that  auditors  exercise  professional  skepticism  and 
perform  their  work  with  integrity  (par.  3. 6-3. 7) 

6.  Require  that  audit  organizations  have  an  human  capital  management  system  (par.  3.10) 

7.  Require  that  auditors  collectively  possess  the  technical  knowledge,  skills,  and  experience 
necessary  to  be  competent  for  the  type  of  work  being  performed  before  beginning  work  on 
the  assignment  (par.  3.12) 

8.  Specifically  state  that  auditors  should  have  knowledge  of  GAGAS  applicable  to  the  work 
they  are  assigned  (par.  3.12  a.)  and  knowledge  of  the  specific  environment  in  which  the 
audited  entity  operates  and  the  subject  matter  under  review  (par.  3.12b.) 

9.  Require  that  auditors  be  proficient  in  the  AlCPA  Statements  on  Standards  for  Attestation 
Engagements  when  performing  attestation  engagements  (par.  3.13  a)  and  that  public  auditors 
be  licensed  CPAs  or  work  for  a  licensed  CPA  firm  if  engaged  to  perform  an  attestation 
engagement  (par.  3.13b.) 
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10.  Require  that  CPE  directly  contribute  to  the  auditor’s  professional  proficiency  to  perform 
work  under  GAGAS  (par.  3.14) 

11.  Require  external  consultants/intemal  specialists  that  are  responsible  for  following  GAGAS  in 
planning  and  directing  an  assignment,  performing  substantial  portions  of  field  work,  or 
reporting  on  the  assignment  meet  CPE  requirements  (par.  3.18) 

12.  Require  that  the  internal  quality  control  system  include  procedures  for  monitoring,  on  an 
ongoing  basis,  whether  the  policies  and  procedures  related  to  the  standards  are  suitably 
designed  and  are  being  effectively  applied  (par.  3.20) 

13.  Require  that  an  audit  organization  prepare  documentation  to  demonstrate  compliance  with  its 
policies  and  procedures  for  its  system  of  quality  control  (par.  3.21) 

14.  Specifically  state  that  extensions  of  quality  assurance  review  timeframes  granted  by  other 
professional  bodies  are  not  recognized  under  GAGAS  (par.  3.22,  f/n.  7) 

15.  Require  that  organizations  conducting  external  peer  reviews  to  have  received  an  unqualified 
opinion  on  the  review  of  their  organization’s  system  of  quality  controls  (par.  3.23b.) 

16.  Require  that  peer  reviewers  have  knowledge  and  training  on  how  to  perform  a  peer  review 
(par.  3.23e.) 

17.  Expand  what  is  ineluded  in  the  peer  review  report  (par.  3.23g.) 

18.  Require  auditors  to  transmit  their  peer  review  reports  to  appropriate  oversight  bodies  and 
provide  a  copy  of  their  peer  review  report  to  auditors  using  their  work  (par.  3.25) 

19.  Specifically  incorporate  the  AlCPA’s  general  standard  on  criteria  for  attestation  engagements 
(par.  6.1) 

20.  Require  that  audit  organizations  establish  policies  and  procedures  for  custody  and  retention 
of  audit  documentation  (par.  4.24,  6.15,  7.67) 

21.  Require  documentation  when  applicable  standards  are  not  followed  (par.  4.22b,  6.16b,  7.68b) 

22.  Permit  auditor  judgment  to  exclude  reporting  certain  information  (par.  5.34,  6.38,  8.34)  and 
to  act  with  integrity  in  making  this  judgment  (par.  8.35) 

23.  Revise  the  requirement  for  a  written  report  to  requiring  a  report  that  the  auditor  can  make  a 
judgment  as  the  appropriate  form  (par.  8.3) 

24.  Require  reporting  whether  the  results  from  a  sample  can  be  projected  to  the  intended 
population  (par.  8.11) 
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25.  Permit  oral  agency  comments  to  be  equally  acceptable  as  written  comments  (par.  5.29,  6.34, 
8.30) 

26.  Delete  the  specific  statement  that  external  quality  control  reviews  conducted  through  or  by 
other  professional  bodies  meet  GAGAS  requirements 

27.  Delete  the  standard  that  requiring  auditors  to  refer  significant  issues  needing  further  study 

28.  Delete  the  requirement  for  auditors  to  report  noteworthy  accomplishments 
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ABBREVIATIONS 


AICPA 

CPA 

FASAB 

FASB 

GAAS 

GAGAS 

GASB 

GAO 

0MB 

SASs 

SSAEs 


American  Institnte  of  Certified  Public  Accountants 

certified  public  accoxmtant 

Federal  Accounting  Standards  Advisory  Board 

Financial  Accoxmting  Standards  Board 

AICPA’s  generally  accepted  auditing  standards 

generally  accepted  government  auditing  standards 

Governmental  Accounting  Standards  Board 

General  Accounting  Office 

Office  of  Management  and  Budget 

AICPA’s  statements  on  auditing  standards 

AICPA’s  statement  on  standards  for  attestation  engagements 
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CHAPTER  1 


INTRODUCTION 


PURPOSE 


1.1  The  standards  and  guidance  contained  in  this  document,  often  referred  to  as  generally 
accepted  government  auditing  standards  (GAGAS),  are  intended  for  use  by  government 
auditors'  to  ensure  that  they  maintain  integrity,  objectivity,  and  independence  in 
planning,  conducting,  and  reporting  their  work,  and  are  to  be  followed  by  auditors  and 
audit  organizations  when  required  by  law,  regulation,  contract,  agreement,  or  policy.^ 

The  work  performed  in  accordance  with  GAGAS  is  referred  to  as  audits  and  attestation 
engagements.  This  work,  which  is  described  in  this  chapter  and  more  fully  in  chapter  2, 
includes  financial  audits,  attestation  engagements,  and  performance  audits.  Users  of 
government  audits  and  attestation  engagements  that  are  performed  in  accordance  with 
GAGAS  should  have  confidence  that  the  work  is  objective  and  credible. 

1.2  The  standards  and  guidance  in  this  document  are  for  audits  and  attestation 

•> 

engagements  of  government  entities,  programs,  activities,  and  services,  and  of 
government  assistance  administered  by  contractors,  nonprofit  entities,  and  other 
nongovernment  entities.  Adherence  to  GAGAS  can  help  ensure  that  audits  and 
attestation  engagements  provide  credibility  to  the  information  reported  by  or  obtained 
from  management  through  objectively  acquiring  and  evaluating  evidence.  When  auditors 


'This  document  addresses  the  standards  that  should  be  used  by  the  individuals  conducting  the  broad  array 
of  work  that  is  deseribed  more  hilly  in  chapter  2.  Accordingly,  the  focus  of  this  document  is  not  on  the 
wide  variety  of  titles  that  are  used  by  individuals  conducting  and  reporting  on  this  work,  but  instead  the 
nature  of  the  work  that  is  being  performed.  The  term  “auditor”  throughout  this  document  includes 
individuals  who  may  be  titled  auditor,  analyst,  evaluator,  or  a  similar  position  description. 

^  Requirements  in  GAGAS  are  identified  by  statements  that  include  the  word  “should.”  Auditors  are 
expected  to  comply  with  these  requirements  if  they  apply  to  the  type  of  work  being  performed.  Auditors 
are  strongly  encouraged  to  comply  with  the  guidance  provided  by  GAGAS. 

'Henceforth,  the  term  “program”  will  be  used  in  this  document  to  include  government  entities,  services,  and 
activities. 
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perform  their  work  in  this  manner  and  comply  with  GAGAS  in  reporting  the  results,  their 
work  can  lead  to  improved  government  management,  decision-making,  and  oversight, 
and  can  assist  in  fulfilling  the  government’s  duty  to  be  accountable  to  the  public. 

GAGAS  pertain  to  auditors’  professional  qualifications  and  the  quality  of  their  work,  the 
performance  of  field  work,  and  the  characteristics  of  meaningful  audit  reporting. 

1.3  This  chapter  describes  the  applications  of  GAGAS  by  auditors  and  audit 
organizations.  This  chapter  also  describes  the  concept  of  accountability  for  public 
resources  and  discusses  the  responsibilities  of  managers  of  government  programs, 
auditors,  and  audit  organizations  in  the  audit  process. 


APPLICABILITY 


1.4  GAGAS  are  intended  to  be  followed  in  performing  audits  and  attestation 
engagements.  A  number  of  statutes  and  other  mandates  require  that  auditors  follow 
GAGAS.  Where  a  statute  or  other  mandate  does  not  exist,  auditors  will  find  it  useful  to 
use  GAGAS  in  work  regarding  the  use  of  government  funds.  If  auditors  hold  themselves 
out  as  following  GAGAS,  regardless  of  whether  they  are  required  to  follow  such 
standards,  they  need  to  justify  any  departures  from  them. 

1.5  The  following  laws,  regulations,  or  guidelines  require  use  of  GAGAS: 

a.  The  Inspector  General  Act  of  1978,  as  amended,  5  U.S.C.  App.  (2000)  requires  that 
the  statutorily-appointed  federal  inspeetors  general  comply  with  GAGAS  for  audits  of 
federal  entities,  programs,  activities,  and  funetions.  The  act  further  states  that  the 
inspectors  general  should  take  appropriate  steps  to  ensure  that  any  work  performed  by 
nonfederal  auditors  complies  with  GAGAS. 
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b.  The  Chief  Financial  Officers  Act  of  1990  (Public  Law  101-576),  as  expanded  by  the 
Government  Management  Reform  Act  of  1994  (Public  Law  103-356),  requires  that 
GAGAS  be  followed  in  audits  of  federal  departments’  and  agencies’  financial  statements. 

c.  The  Single  Audit  Act  Amendments  of  1996  (Public  Law  104-156)  require  that  GAGAS 
be  followed  in  audits  of  state  and  local  governments  and  nonprofit  entities  that  receive 
federal  financial  assistance.  0MB  Circular  A- 133,  “Audits  of  States,  Local  Governments, 
and  Non-profit  Organizations,”  which  provides  the  govemmentwide  guidelines  and  policies 
on  performing  audits  to  comply  with  the  Single  Audit  Act,  also  requires  the  use  of 
GAGAS. 

1.6  Auditors  need  to  be  alert  to  other  laws,  regulations,  or  other  authoritative  sources  that 
could  require  the  use  of  GAGAS.  For  example,  state  and  local  laws  and  regulations  may 
require  auditors  at  the  state  and  local  levels  of  government  to  follow  these  standards. 

Also,  the  terms  of  an  agreement  or  contract  may  require  auditors  to  comply  with 
GAGAS.  Federal  audit  guidelines  pertaining  to  program  requirements,  such  as  those 
issued  for  Housing  and  Urban  Development  and  Student  Financial  Aid  programs,  may 
require  that  GAGAS  be  followed. 

1.7  Even  if  not  required  to  do  so,  auditors  would  find  it  useful  to  follow  GAGAS  in 
performing  audits  of  federal,  state,  and  local  government  programs  as  well  as  in 
performing  audits  of  government  assistance  administered  by  contractors,  nonprofit 
entities,  and  other  nongovernment  entities.  Many  audit  organizations  not  formally 
required  to  do  so,  both  in  the  United  States  and  in  other  countries,  voluntarily  follow 
GAGAS. 

1.8  Auditors  may  provide  professional  services,  other  than  audits  and  attestation 
engagements,  that  consist  solely  of  gathering,  providing,  and  explaining  information 
requested  by  decision-makers  or  by  providing  advice  or  assistance  to  management 
officials.  GAGAS  are  not  applicable  to  these  other  professional  services,  which  are 
described  more  fully  in  chapter  2.  However,  providing  other  professional  services  may 
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affect  an  audit  organization’s  independence  to  conduct  audits,  which  is  discussed  in 
chapter  3. 


Relationship  between  GAGAS  and  Other  Professional  Standards 

1.9  GAGAS  may  be  used  in  conjunction  with  professional  standards  issued  by  other 
authoritative  bodies.  For  example,  the  American  Institute  of  Certified  Public 
Accountants  (AlCPA)  has  issued  professional  standards  that  apply  in  financial  audits  and 
attestation  engagements.  GAGAS  incorporate  the  AlCPA’s  field  work  and  reporting 
standards  and  the  related  statements  on  the  standards  for  financial  audits  unless 
specifically  excluded,  as  discussed  in  chapters  4  and  5.  GAGAS  incorporates  the 
AlCPA’s  general  standard  on  criteria,  and  the  field  work  and  reporting  standards  and  the 
related  statements  on  the  standards  for  attestation  engagements,  unless  specifically 
excluded,  as  discussed  in  chapter  6.  To  meet  the  needs  of  users  of  government  audits  and 
attestation  engagements,  GAGAS  also  prescribe  additional  requirements  to  those 
provided  by  the  AlCPA  for  these  types  of  work. 

1.10  Other  professional  standards  which  may  be  used  by  auditors  are  issued  by  such 
bodies  as  the  Institute  of  Internal  Auditors  (Codification  of  the  Standards  for  the 
Professional  Practice  of  Internal  Auditing.  The  Institute  of  Internal  Auditors,  Inc.),  and 
the  American  Evaluation  Association,  which  has  developed  guiding  principles  for 
evaluators  (Guiding  Principles  for  Evaluators,  a  report  from  the  American  Evaluation 
Association  Task  Force  on  Guiding  Principles  for  Evaluators).  These  other  professional 
standards  are  not  incorporated  into  GAGAS,  but  can  be  used  in  conjunction  with 
GAGAS. 

ACCOUNTABILITY 


1.11  The  concept  of  accountability  for  public  resources  is  inherent  in  our  nation’s 
governing  processes.  Legislators  and  other  government  officials,  and  the  public  want  to 
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know  whether  (1)  government  resources  are  managed  properly  and  used  in  compliance 
with  laws  and  regulations,  (2)  government  programs  are  achieving  their  objectives  and 
desired  outcomes,  and  (3)  government  programs  are  being  provided  efficiently, 
economically,  and  effectively.  Managers  of  these  programs  are  often  asked  to  render  an 
account  of  their  activities  and  related  results  to  legislative  bodies  and  the  public. 

1.12  Financial  audits  contribute  to  making  governments  more  accountable  for  the  use  of 
public  resources.  The  auditor,  in  providing  an  independent  report  on  whether  an  entity’s 
financial  information  is  presented  fairly  in  accordance  with  recognized  criteria,  informs 
users  whether  they  can  rely  on  the  information.  Financial  audits  performed  in  accordance 
with  GAGAS  also  provide  information  about  internal  control  and  compliance  with  laws 
and  regulations  as  they  relate  to  financial  transactions,  systems,  and  processes. 

1.13  Attestation  engagements  also  contribute  to  governments’  accountability  for  the  use 
of  public  resources  and  the  delivery  of  services.  In  an  attestation  engagement,  auditors 
issue  an  examination,  a  review,  or  an  agreed-upon  procedures  report  on  the  subject  matter 
or  on  an  assertion  about  the  subject  matter,  based  on  or  in  conformity  with  criteria,  that  is 
the  responsibility  of  another  party.  Attestation  engagements  can  cover  a  broad  range  of 
financial  or  nonfinancial  objectives  and  provide  various  levels  of  assurance  about  the 
subject  matter  or  assertion  dependent  upon  the  user’s  needs. 

1.14  Performance  audits  also  contribute  to  governments’  accountability  for  the  use  of 
public  resources  and  for  the  delivery  of  services.  The  term  performance  audit  is  used  to 
include  a  variety  of  objectives  to  meet  users’  needs.  Performance  audits  provide  an 
independent  assessment  of  the  performance  and  management  of  government  programs 
against  objective  criteria  or  an  assessment  of  best  practices  and  other  information. 
Performance  audits  provide  information  to  improve  program  operations  and  facilitate 
decision-making  by  parties  with  responsibility  to  oversee  or  initiate  corrective  action,  and 
improve  public  accountability.  The  term  performance  audit  is  used  generically  to  include 
work  classified  by  some  audit  organizations  as  program  evaluations,  program 
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effectiveness  and  results  audits,  economy  and  etficiency  audits,  operational  audits,  and 
value-for-money  audits. 

1.15  Given  the  importance  and  complexity  of  government  programs  in  providing  a 
variety  of  public  services,  auditors  are  increasingly  being  called  on  by  legislative  bodies 
and  government  agencies  to  expand  the  variety  of  performance  audits  to  include  work 
that  has  a  prospective  focus  or  provides  guidance,  best  practice  information,  or 
information  on  issues  that  affect  multiple  programs  or  entities  already  studied  or  under 
study  by  an  audit  organization.  This  work  may  also  include  an  assessment  of  policy 
alternatives,  identification  of  risks  and  risk  mitigation  efforts,  and  a  variety  of  analytical 
services  to  aid  government  officials  in  performing  their  responsibilities  and  stewardship 
of  government  resources.  Such  work,  like  other  performance  audits,  involves  a  level  of 
analysis,  research,  or  evaluation;  may  provide  conclusions  and  recommendations;  and 
results  in  a  report. 


ROLES  AND  RESPONSIBILITIES 


1.16  Management  and  auditors  of  government  programs  fulfill  essential  roles  and 
responsibilities  in  ensuring  that  public  resources  are  used  efficiently,  economically, 
effectively,  and  legally.  Audit  organizations  also  have  the  important  responsibility  for 
ensuring  that  auditors  can  meet  their  responsibilities.  These  unique  roles  involve  sound 
management  practices  and  professional  audits  and  attestation  engagements. 

Management’s  Role 


1.17  Management  entrusted  with  handling  public  resources  (for  example,  managers  of  a 
state  or  local  governmental  entity  or  a  nonprofit  entity  that  receives  federal  assistance)  is 
responsible  for  applying  those  resources  efficiently,  economically,  effectively,  and 
legally  to  achieve  the  purposes  for  which  the  resources  were  furnished  or  the  program 
was  established.  This  responsibility  applies  to  all  resources,  both  financial  and  physical. 
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whether  entrusted  to  public  officials  or  others  by  their  own  constituencies  or  by  other 
levels  of  government. 

1.18  Management  entrusted  with  public  resources  is  responsible  for  complying  with 
applicable  laws  and  regulations.  That  responsibility  encompasses  identifying  the 
requirements  with  which  the  entity  and  the  official  must  comply  and  implementing 
systems  designed  to  achieve  that  compliance. 

1.19  Management  entrusted  with  public  resources  is  responsible  for  establishing  and 
maintaining  effective  internal  control  to  ensure  that  appropriate  goals  and  objectives  are 
met;  resources  are  received,  used  efficiently  and  effectively,  and  safeguarded;  laws  and 
regulations  are  followed;  and  reliable  data  are  obtained,  maintained,  and  fairly  disclosed. 
Management  is  responsible  for  providing  appropriate  reports  to  those  who  oversee  their 
actions  and  to  the  public  in  order  to  be  accountable  for  the  resources  used  to  carry  out 
government  programs  and  the  results  of  these  programs. 

1.20  Management  is  responsible  for  addressing  the  findings  and  recommendations  of 
auditors,  and  for  establishing  and  maintaining  a  process  to  track  the  status  of  such 
findings  and  recommendations. 

1.21  Management  is  responsible  for  following  sound  procurement  practices  when 
contracting  for  audits  and  attestation  engagements,  including  procedures  for  monitoring 
contract  performance,  need  to  be  in  place.  The  objectives  and  scope  of  the  assignment 
need  to  be  made  clear.  In  addition  to  price,  other  factors  that  may  be  considered  in 
evaluating  bid  proposals  include  the  responsiveness  of  the  bidder  to  the  request  for 
proposal;  the  experience  of  the  bidder;  the  availability  of  the  bidder’s  staff  who  have  the 
appropriate  professional  qualifications  and  technical  abilities;  and  the  results  of  the 
bidder’s  peer  reviews. 
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Auditors’  Responsibilities 


1.22  Auditors  in  discharging  their  professional  responsibilities  need  to  observe  the 
prineiples  of  serving  the  publie  interest  and  maintaining  the  highest  sense  of  integrity, 
objeetivity,  and  independenee.  These  principles  are  fundamental  to  the  responsibilities  of 
auditors  and  the  auditing  profession. 

1.23  Auditors  are  responsible  to  aeeept  the  obligation  to  aet  in  a  way  that  will  serve  the 
publie  interest,  honor  the  publie  trust,  and  uphold  their  professionalism.  A  distinguishing 
mark  of  a  profession  is  aeeeptanee  of  its  responsibility  to  the  publie.  This  responsibility 
is  eritieal  when  auditing  in  the  government  environment.  Beeause  the  eoneept  of 
aeeountability  underlies  GAGAS,  this  need  to  serve  the  publie  interest  is  essential  for  all 
work  done  in  aeeordanee  with  GAGAS. 

1.24  Auditors  need  to  make  deeisions  that  are  consistent  with  the  publie  interest  in  the 
program  or  aetivity  under  audit.  The  public  interest  is  defined  as  the  eolleetive  well¬ 
being  of  the  eommunity  of  people  and  entities  the  auditor  serves.  In  discharging  their 
professional  responsibilities,  auditors  may  encounter  conflieting  pressures  from 
management  of  the  audited  entity,  various  levels  of  government,  employers,  and  others 
who  rely  on  the  objeetivity  and  independence  of  the  auditors.  In  resolving  those 
confliets,  auditors  are  responsible  to  act  with  integrity,  guided  by  the  preeept  that  when 
auditors  fulfill  their  responsibilities  to  the  public,  these  individuals’  and  organizations’ 
interests  are  best  served. 

1.25  To  maintain  and  broaden  public  confidence,  auditors  need  to  perform  all 
professional  responsibilities  with  the  highest  sense  of  integrity.  Auditors  are  responsible 
to  be  honest  and  candid  with  the  audited  entity  and  users  of  the  auditors’  work  in  the 
eonduet  of  their  work,  within  the  constraints  of  the  audited  entity’s  confidentiality. 

Serviee  and  the  public  trust  should  not  be  subordinated  to  personal  gain  and  advantage. 
Integrity  ean  aeeommodate  the  inadvertent  error  and  the  honest  differenee  of  opinion;  it 
eannot  aeeommodate  deeeit  or  subordination  of  principle.  Integrity  requires  auditors  to 
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observe  both  the  form  and  the  spirit  of  technical  and  ethical  standards;  circumvention  of 
those  standards  constitutes  subordination  of  judgment.  Integrity  also  requires  auditors  to 
observe  the  principles  of  objectivity  and  independence. 

1.26  Auditors  are  responsible  to  maintain  objectivity  and  be  free  of  conflicts  of  interest 
in  discharging  their  professional  responsibilities.  Auditors  are  also  responsible  to  be 
independent  in  fact  and  appearance  when  providing  audit  and  attestation  services. 
Objectivity  is  a  state  of  mind  that  requires  auditors  to  be  impartial,  intellectually  honest, 
and  free  of  conflicts  of  interest.  Independence  precludes  relationships  that  may  in  fact  or 
appearance  impair  an  auditor’s  objectivity  in  performing  the  audit.  The  maintenance  of 
objectivity  and  independence  requires  continuing  assessment  of  relationships  with  the 
audited  entities  and  public  responsibility. 

1.27  In  applying  GAGAS,  auditors  are  responsible  for  using  professional  judgment  when 
establishing  seope  and  methodologies  for  their  work,  determining  the  tests  and 
proeedures  to  be  performed,  eondueting  the  work,  and  reporting  the  results.  Auditors 
need  to  maintain  integrity  and  objeetivity  when  doing  their  work  to  make  deeisions  that 
are  eonsistent  with  the  broader  publie  interest  in  the  program  or  aetivity  under  review. 
When  reporting  on  the  results  of  their  work,  auditors  are  responsible  for  disclosing  all 
material  or  signifieant  faets  known  to  them  whieh,  if  not  disclosed,  could  mislead 
knowledgeable  users,  misrepresent  the  results,  or  eoneeal  improper  or  unlawful  practices. 

1.28  Auditors  are  responsible  for  helping  management  and  other  report  users  understand 
the  auditors’  responsibilities  under  GAGAS  and  other  audit  coverage  required  by  law  or 
regulation.  To  help  managers  and  other  report  users  understand  an  audit’s  objectives, 
time  frames,  and  data  needs,  auditors  need  to  eommunicate  information  concerning  the 
planning,  conduct,  and  reporting  of  the  assignment  to  the  parties  involved. 
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Audit  Organizations’  Responsibilities 


1.29  Audit  organizations  also  have  the  responsibility  for  ensuring  that  (1)  independenee 
and  objeetivity  are  maintained  in  all  phases  of  the  assignment,  (2)  professional  judgment 
is  used  in  planning  and  performing  the  work  and  in  reporting  the  results,  (3)  the  work  is 
performed  by  personnel  who  are  professionally  competent,  and  (4)  their  systems  of 
quality  control  are  periodically  examined  by  independent  peers  to  ensure  that  they  have 
in  place  appropriately  designed  policies,  procedures,  and  practices  that  are  functioning 
effectively  to  meet  professional  standards. 

1.30  While  management  is  responsible  for  addressing  audit  and  attestation  engagement 
findings  and  recommendations  and  tracking  their  status  of  resolution,  audit  organizations 
are  responsible  for  establishing  policies  and  procedures  for  follow-up  to  determine 
whether  previous  findings  and  recommendations  are  addressed  and  are  considered  in 
planning  future  assignments. 
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CHAPTER  2 


TYPES  OF  GOVERNMENT  AUDITS 
AND  ATTESTATION  ENGAGEMENTS 


INTRODUCTION 

2.1  This  chapter  describes  the  types  of  audits  and  attestation  engagements  that  audit 
organizations  perform,  or  arrange  to  have  performed,  of  government,  programs,’  and  of 
government  assistance  administered  by  contractors,  nonprofit  entities,  and  other 
nongovernment  entities.  This  description  is  not  intended  to  limit  or  require  the  types  of 
audits  or  attestation  engagements  that  may  be  performed  or  arranged  to  be  performed.  In 
performing  work  described  below  in  accordance  with  generally  accepted  government 
auditing  standards  (GAGAS),  auditors  should  follow  the  applicable  standards  included 
and  incorporated  in  chapters  3  through  8.  This  chapter  also  describes  other  professional 
services  that  audit  organizations  provide,  although  these  services  are  not  covered  by 
GAGAS. 

2.2  All  assignments  begin  with  objectives,  and  those  objectives  determine  the  type  of 
work  to  be  performed  and  the  audit  standards  to  be  followed.  The  types  of  work,  as 
defined  by  their  objectives  that  are  covered  by  GAGAS,  are  classified  in  these  standards 
as  financial  audits,  attestation  engagements,  and  performance  audits. 

2.3  Assignments  may  have  a  combination  of  objectives  that  include  more  than  one  type 
of  work  described  in  this  chapter  or  may  have  objectives  limited  to  only  some  aspects  of 
one  type  of  work.  Auditors  should  follow  the  standards  that  are  applicable  to  the 
individual  objectives  of  the  audit  or  attestation  engagement. 


'The  term  “program”  is  used  to  include  entities,  services,  and  activities. 
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FINANCIAL  AUDITS 


2.4  Financial  audits  primarily  concern  providing  reasonable  assurance  about  whether 
financial  statements  are  presented  fairly  in  all  material  respects  in  conformity  with 
generally  aeeepted  aeeounting  prineiples  (GAAP),  or  with  a  comprehensive  basis  of 
aceounting  other  than  GAAP.  Other  objectives  of  financial  audits  may  include 

a.  providing  speeial  reports  for  specified  elements,  accounts,  or  items  of  a  financial 
statement; 


b.  reviewing  interim  finaneial  information  or  segments  of  financial  statements; 

c.  issuing  letters  for  underwriters  and  certain  other  requesting  parties; 

d.  reporting  on  the  proeessing  of  transactions  by  service  organizations;  and 

e.  auditing  eomplianee  with  regulations  relating  to  governmental  financial  assistance. 


2.5  Financial  audits  are  performed  under  the  American  Institute  of  Certified  Public 
Accountants’  (AlCPA)  generally  accepted  auditing  standards  for  field  work  and 
reporting,  as  well  as  the  related  AlCPA  Statements  on  Auditing  Standards  (SASs)  which 
interpret  the  standards  and  provide  guidance  on  conducting  such  work.  Accordingly, 
auditors  performing  financial  audits  need  to  be  proficient  in  applying  the  AlCPA 
standards  and  guidance  contained  in  the  SASs.  GAGAS  prescribe  general  standards  and 


^Three  authoritative  bodies  for  generally  accepted  accounting  principles  (GAAP)  are  the  Governmental 
Accounting  Standards  Board  (GASB),  the  Financial  Accounting  Standards  Board  (FASB),  and  the  Federal 
Accounting  Standards  Advisory  Board  (FASAB).  GASB  establishes  accounting  principles  and  financial 
reporting  standards  for  state  and  local  government  entities.  FASB  establishes  accounting  principles  and 
financial  reporting  standards  for  nongovernment  entities.  FASAB  promulgates  accounting  principles  and 
financial  reporting  standards  for  the  federal  government. 

^GAGAS  incorporate  all  AlCPA  field  work  and  reporting  auditing  standards  and  the  related  SASs  unless 
the  Comptroller  General  of  the  United  States  excludes  them  by  formal  announcement.  To  date,  the 
Comptroller  General  has  not  excluded  any  AlCPA  field  work  or  reporting  auditing  standards  or  any  SASs. 
23  GAO-02-340G  Government  Auditing  Standards  Exposure  Draft 


additional  field  work  and  reporting  requirements  beyond  those  provided  by  the  AlCPA 
when  performing  financial  audits.  (See  chapters  3,  4,  and  5  for  standards  and  guidance 
for  auditors  performing  a  financial  audit  in  accordance  with  GAGAS.) 


ATTESTATION  ENGAGEMENTS 


2.6  Attestation  engagements  concern  examining,  reviewing,  or  performing  agreed  upon 
procedures  on  a  subject  matter  or  an  assertion'*  about  a  subject  matter  and  reporting  on 
the  results.  The  subject  matter  of  an  attestation  engagement  may  take  many  forms, 
including  historical  or  prospective  performance  or  condition,  physical  characteristics, 
historical  events,  analyses,  systems  and  processes,  or  behavior.  Attestation  engagements 
can  cover  a  broad  range  of  financial  or  nonfinancial  objectives  and  can  be  part  of  a 
financial  audit  or  other  type  of  audit.  Examples  of  objectives  of  attestation  engagements 
include  reporting  on 

a.  an  entity’s  internal  control  over  financial  reporting; 

b.  an  entity’s  compliance  with  requirements  of  specified  laws,  regulations,  rules, 
contracts,  or  grants; 

c.  the  effectiveness  of  an  entity’s  internal  control  over  compliance  with  specified 
requirements,  such  as  those  governing  the  bidding  for,  accounting  for,  and  reporting  on 
grants  and  contracts; 

d.  management’s  discussion  and  analysis  (MD&A)  presentation; 

e.  prospective  financial  statements  or  pro  forma  financial  information; 


‘*An  assertion  is  any  declaration  or  set  of  declarations  about  whether  the  subject  matter  is  based  on  or  in 
conformity  with  the  criteria  selected. 
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f.  the  reliability  of  performance  measures; 


g.  final  contract  cost;  and 

h.  allowability  and  reasonableness  of  proposed  contract  amounts.^ 

2.7  Attestation  engagements  are  performed  under  the  AICPA’s  attestation  standards,  as 
well  as  the  related  AlCPA  Statements  on  Standards  for  Attestation  Engagements 
(SSAEs)  which  interpret  the  standards  and  provide  guidance  on  conducting  such  work. 
Accordingly,  auditors  performing  attestation  engagements  need  to  be  proficient  in 
applying  the  AlCPA  standards  and  guidance  contained  in  the  SSAEs.  GAGAS  prescribe 
general  standards  and  additional  field  work  and  reporting  requirements  beyond  those 
provided  by  the  AlCPA  for  attestation  engagements.  (See  chapters  3  and  6  for  standards 
and  guidance  for  auditors  performing  an  attestation  engagement  in  accordance  with 
GAGAS.) 


PERFORMANCE  AUDITS 


2.8  A  performance  audit  is  an  objective  and  systematic  examination  of  evidence  to 
provide  an  independent  assessment  of  the  performance  and  management  of  a  program 
against  objective  criteria  or  an  assessment  of  best  practices  and  other  information. 
Performance  audits  provide  information  to  improve  program  operations  and  facilitate 
decisionmaking  by  parties  with  responsibility  to  oversee  or  initiate  corrective  action,  and 
improve  public  accountability.  Performance  audits  encompass  a  wide  variety  of 


^Some  of  these  examples  of  attestation  engagement  objectives  are  similar  to  some  of  the  performance  audit 
objectives  listed  in  paragraphs  2.9  through  2.11.  Depending  on  user  needs  and  the  auditor’s  qualifications, 
the  auditor  may  choose  to  apply  performance  audit  standards  in  chapters  7  and  8  to  the  objectives  in 
paragraph  2.6  instead  of  following  the  attestation  standards  in  chapter  6. 

“gagas  incorporate  the  AICPA’s  general  attestation  standard  on  criteria  and  all  the  AICPA’s  field  work 
and  reporting  attestation  standards  and  the  related  SSAEs  unless  the  Comptroller  General  of  the  United 
States  excludes  them  by  formal  announcement.  To  date,  the  Comptroller  General  has  not  excluded  any 
AlCPA  field  work  or  reporting  attestation  standards  or  SSAEs. 
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objectives  including  objectives  related  to  assessing  program  effectiveness  and  results; 
economy  and  efficiency;  internal  control;’  and  compliance  with  legal  or  other 
requirements;  and  objectives  related  to  providing  prospective  analyses,  guidance,  or 
summary  information.  Performance  audits  also  may  encompass  a  broad  or  narrow  scope 
of  work  and  a  variety  of  methodologies;  involve  a  level  of  analysis,  research,  or 
evaluation;  generally  provide  conclusions  and  recommendations;  and  result  in  a  report. 
(See  chapters  3,  7,  and  8  for  standards  and  guidance  for  auditors  performing  a 
performance  audit  in  accordance  with  GAGAS.) 

2.9  Program  effectiveness  and  results  audit  objectives  address  the  effectiveness  of  a 
program  and  typically  measure  the  extent  to  which  a  program  is  achieving  its  goals  and 
objectives.  Economy  and  efficiency  audit  objectives  concern  whether  an  entity  is 
acquiring,  protecting,  and  using  its  resources  in  the  most  productive  manner  to  achieve 
program  objectives.  These  audit  objectives  are  often  interrelated  and  may  be  concurrently 
addressed  in  a  performance  audit.  Examples  of  program  effectiveness  and  results  and 
economy  and  efficiency  audit  objectives  include  assessing 

a.  the  extent  to  which  legislative,  regulatory,  or  organizational  goals  and  objectives  are 
being  achieved; 

b.  the  relative  utility  of  alternative  approaches  to  yield  better  program  performance  or 
eliminate  factors  that  inhibit  program  effectiveness; 

g 

c.  the  relative  cost  and  benefits  or  cost  effectiveness  of  program  performance; 

d.  whether  a  program  produced  intended  results  or  produced  effects  that  were  not 
intended  by  the  program’s  established  or  stated  objectives; 


’The  term  internal  control  in  this  document  is  synonymous  with  the  term  management  control  and,  unless 
otherwise  stated,  covers  all  aspects  of  an  entity’s  operations  (programmatic,  financial,  and  compliance). 
’^These  objectives  focus  on  combining  cost  information  with  information  about  outputs  or  the  benefit 
provided,  and  outcomes  or  the  results  achieved. 
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e.  the  extent  to  which  programs  duplicate,  overlap,  or  conflict  with  other  related 
programs; 

f.  whether  the  audited  entity  is  following  sound  procurement  practices; 

g.  the  validity  and  reliability  of  performance  measures  concerning  program  effectiveness 
and  results,  or  economy  and  efficiency;  and 

h.  the  financial  information  related  to  the  performance  of  a  program. 

2,10  Internal  control  audit  objectives  relate  to  management’s  plans,  methods,  and 
procedures  used  to  meet  its  mission,  goals,  and  objectives.  Internal  controls  include  the 
processes  and  procedures  for  planning,  organizing,  directing,  and  controlling  program 
operations,  and  the  system  put  in  place  for  measuring,  reporting,  and  monitoring  program 
performance.  Examples  of  audit  objectives  related  to  internal  control  include  the  extent 
that  internal  controls  of  a  program  provide  reasonable  assurance  that 

a.  organizational  missions,  goals,  and  objectives  are  achieved  effectively  and  efficiently; 

b.  resources  are  used  in  compliance  with  laws,  regulations,  or  other  requirements; 

c.  resources  are  safeguarded  against  unauthorized  acquisition,  use,  or  disposition; 

d.  management  information  and  public  reports  that  are  produced,  such  as  performance 
measures,  are  complete,  accurate,  and  consistent  to  document  performance  and  support 
decisionmaking; 

e.  security  over  computerized  information  systems  will  prevent  or  detect  unauthorized 
access;  and 
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f.  contingency  planning  for  information  systems  provides  essential  back-up  to  prevent 
unwarranted  disruption  of  activities  and  functions  the  systems  support. 

2.11  Compliance  audit  objectives  relate  to  compliance  criteria  established  by  laws, 
regulations,  contract  provisions,  grant  agreements,  and  other  requirements^  that  could 
affect  the  acquisition,  protection,  and  use  of  the  entity’s  resources,  and  the  quantity, 
quality,  timeliness,  and  cost  of  services  the  entity  produces  and  delivers.  Compliance 
objectives  also  concern  the  purpose  of  the  program,  the  manner  in  which  it  is  to  be 
conducted  and  services  delivered,  and  the  population  it  serves. 

2.12  Audit  organizations  are  increasingly  undertaking  work  that  is  similar  to  the 
traditional  performance  audit  but  may  have  a  prospective  focus  or  may  provide  guidance, 
best  practice  information,  or  information  on  cross-cutting  issues  already  studied  or  under 
study  by  an  audit  organization.  While  this  work  generally  does  not  involve  assessing 
specific  ongoing  programs,  it  may  use  data  from  relevant  audit  work  for  comparative  or 
baseline  purposes.  This  performance-related  work  may  encompass  a  broad  or  narrow 
range  of  objectives  and  scope  of  work;  use  a  variety  of  methodologies;  involve  a  level  of 
analysis,  research,  or  evaluation;  generally  provide  conclusions  and  recommendations; 
and  result  in  a  report.  It  is  also  subject  to  the  same  standards  as  performance  audits. 
Examples  of  objectives  pertaining  to  this  work  include 

a.  assessing  program  or  policy  alternatives,  including  forecasting  program  outcomes 
under  various  assumptions; 

b.  assessing  the  advantages  and  disadvantages  of  legislative  proposals; 

c.  conducting  surveys  to  obtain  and  analyze  views  of  stakeholders  on  policy  proposals 
for  decisionmakers; 


^  Compliance  requirements  can  be  either  financial  or  nonfinancial  in  nature. 
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d.  analyzing  budget  proposals  or  budget  requests  to  assist  legislatures  in  the  budget 
process; 

e.  developing  methods  or  approaches  for  use  in  evaluating  new  or  proposed  programs; 

f.  producing  a  high-level  summary  or  a  report  that  affects  multiple  programs  or  entities 
on  issues  studied  or  under  study  by  the  audit  organization;  and 

g.  developing  guidance  documents  such  as  those  based  on  best  practices  research  and 
syntheses  for  management’s  use  in  evaluating  program  or  management  system 
approaches,  including  financial  and  information  management  systems.’*’ 


NONAUDIT  SERVICES  OF  AUDIT  ORGANIZATIONS 

2.13  Audit  organizations  may  also  provide  nonaudit  services  that  are  not  covered  by 
GAGAS.  These  nonaudit  services  consist  of  gathering,  providing,  or  explaining 
information  requested  by  decision  makers  or  providing  advice  or  assistance  to 
management  officials.  Nonaudit  services  generally  differ  from  financial  audits, 
attestation  engagements,  and  performance  audits  described  above  in  that  auditors  provide 
information  or  data  to  a  requesting  party  without  providing  verification,  analysis,  or 
evaluation  of  the  information  or  data,  and  therefore  the  work  does  not  usually  provide  a 
basis  for  conclusions,  recommendations,  or  opinions  on  the  information  or  data.  These 
other  services  may  or  may  not  result  in  a  report.  Some  examples  of  these  other 
professional  services  include 

a.  assisting  a  legislative  body  by  developing  questions  for  use  at  a  hearing; 

b.  gathering  and  reporting  unverified  external  or  third-party  data  to  aid  legislative  and 
administrative  decision  making; 

'“These  guidance  documents  may  also  be  used  by  auditors  in  planning  and  performing  their  work. 
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c.  compiling  or  reviewing  financial  statements  or  other  information  to  assist  entities  and 
management  officials;” 

d.  advising  an  entity  regarding  its  performance  of  internal  control  self-assessments; 

e.  providing  professional  advice  to  entities  and  management  officials  to  assist  them  in 
activities  such  as  the  design  or  installation  of  information  systems  and  related  internal 
control  activities; 

f.  valuing  an  entity’s  pension,  other  postemployment  benefit,  or  other  similar  liabilities; 

g.  preparing  an  entity’s  indirect  cost  proposal  or  cost  allocation  plan; 

h.  providing  human  resource  services  to  assist  management  in  its  evaluation  of  potential 
candidates;  and 

i.  development  of  audit  methodologies,  policies,  and  procedures. 

2.14  GAGAS  do  not  cover  nonaudit  services  described  in  this  chapter  as  such  services 
are  not  audits  or  attestation  engagements.  Therefore,  auditors  should  not  report  that  such 
services  were  conducted  in  accordance  with  GAGAS.  However,  audit  organizations  are 
encouraged  to  establish  policies  for  maintaining  the  quality  of  this  type  of  work,  and  may 
wish  to  disclose  in  any  product  resulting  from  this  work,  any  other  professional  standards 
followed  and  the  quality  control  steps  taken. 


"This  type  of  work  is  covered  under  the  AICPA’s  Statements  on  Standards  for  Accounting  and  Review 
Services  (SSARS),  which  are  not  incorporated  into  GAGAS  since  the  work  covered  by  the  SSARS  are  not 
considered  audits. 
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CHAPTER  3 


GENERAL  STANDARDS 


INTRODUCTION 


3.1  This  chapter  prescribes  general  standards  and  provides  guidance  for  performing 
financial  audits,  attestation  engagements,'  and  performance  audits.  These  general 
standards  concern  the  fundamental  requirements  for  ensuring  the  credibility  of 
auditors’  results.  Credibility  is  essential  to  all  audit  organizations  performing  work 
that  government  leaders  and  other  users  rely  on  for  making  decisions,  and  is  what  the 
public  expects  of  information  provided  by  auditors.  These  general  standards 
encompass  the  independence  of  the  audit  organization  and  its  individual  auditors;  the 
exercise  of  professional  judgment  in  the  performance  of  work  and  the  preparation  of 
related  reports;  the  competence  of  audit  staff,  including  their  continuing  professional 
education;  and  the  existence  of  quality  control  systems  and  external  peer  reviews. 

3.2  These  general  standards  provide  the  underlying  framework  that  is  critical  in 
effectively  applying  the  field  work  and  reporting  standards  described  in  the  following 
chapters,  in  performing  the  detailed  work  associated  with  the  assignment,  and  in 
preparing  related  reports  and  other  products.  Therefore,  these  general  standards  are 
required  to  be  followed  by  all  auditors  and  audit  organizations,  both  government  and 
nongovernment,  performing  work  under  generally  accepted  government  auditing 
standards  (GAGAS). 


'See  chapter  6  for  an  additional  general  standard  auditors  should  follow  when  performing  an  attestation 
engagement. 
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INDEPENDENCE 


[Refer  to  Amendment  No.  3,  Independence.  The  following  paragraph  numbers  will 
change  accordingly.] 


PROFESSIONAL  JUDGMENT 


3.3  The  second  general  standard  is: 

Professional  judgment  should  be  used  in  planning  and  performing  audits  and 
attestation  engagements,  and  in  reporting  the  results. 

3.4  This  standard  requires  auditors  to  observe  the  principles  of  serving  the  public 
interest  and  maintaining  the  highest  sense  of  integrity,  objectivity,  and  independence 
in  applying  professional  judgment  in  all  aspeets  of  their  work.  This  standard  also 
imposes  a  responsibility  upon  each  auditor  within  the  audit  organization  to  observe 
GAGAS.  If  auditors  hold  themselves  out  as  following  GAGAS,  regardless  of 
whether  they  are  required  to  follow  sueh  standards,  they  need  to  justify  any 
departures  from  them. 

3.5  Auditors  should  use  professional  judgment  in  determining  the  type  of  assignment 
to  be  performed  and  the  standards  that  apply  to  the  work;  establishing  the  scope  of 
work;  selecting  the  methodology;  determining  the  type  and  amount  of  evidence  to  be 
gathered;  and  choosing  the  tests  and  procedures  for  their  work.  Professional 
judgment  also  should  be  applied  in  performing  the  tests  and  procedures  and  in 
evaluating  and  reporting  the  results  of  the  work. 


^Professional  judgment  is  synonymous  with  due  professional  care  as  defined  in  the  American  Institute 
of  Certified  Public  Accountants  (AICPA)  standards.  While  the  principles  of  serving  the  public  interest 
and  maintaining  the  highest  sense  of  integrity,  objectivity,  and  independence  are  not  explicitly  stated  in 
the  AICPA’ s  due  professional  care  standard,  these  principles  serve  as  the  framework  for  all  AICPA 
rules  and  standards. 
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3.6  Professional  judgment  requires  auditors  to  exercise  professional  skepticism, 
which  is  an  attitude  that  includes  a  questioning  mind  and  a  critical  assessment  of 
evidence.  Auditors  use  the  knowledge,  skills,  and  experience  called  for  by  their 
profession  to  diligently  perform,  in  good  faith  and  with  integrity,  the  gathering  of 
evidence  and  objective  evaluation  of  the  competency  and  sufficiency  of  evidence. 
Since  evidence  is  gathered  and  evaluated  throughout  the  assignment,  professional 
skepticism  should  be  exercised  throughout  the  assignment. 

3.7  Auditors  neither  assume  that  management  is  dishonest  nor  assume  unquestioned 
honesty.  In  exercising  professional  skepticism,  auditors  should  not  be  satisfied  with 
less  than  persuasive  evidence  because  of  a  belief  that  management  is  honest. 

3.8  The  exercise  of  professional  judgment  allows  the  auditor  to  obtain  reasonable 
assurance  that  material  misstatements  or  significant  inaccuracies  in  data  will  be 
detected  if  they  exist.  Absolute  assurance  is  not  attainable  because  of  the  nature  of 
evidence  and  the  characteristics  of  fraud.  Therefore,  an  audit  or  attestation 
engagement  conducted  in  accordance  with  GAGAS  may  not  detect  a  material 
misstatement  or  significant  inaccuracy,  whether  from  error  or  fraud.  Accordingly, 
while  this  standard  places  responsibility  on  each  auditor  and  audit  organization  to 
exercise  professional  judgment  in  planning  and  performing  an  assignment,  it  does  not 
imply  unlimited  responsibility,  nor  does  it  imply  infallibility  on  the  part  of  either  the 
individual  auditor  or  the  audit  organization. 


COMPETENCE 


3.9  The  third  general  standard  is: 

The  staff  assigned  to  perform  the  assignment  should  collectively  possess 
adequate  professional  competence  for  the  tasks  required. 
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3.10  This  standard  places  responsibility  on  audit  organizations  to  ensure  that  each 
assignment  is  performed  by  staff  who  collectively  have  the  knowledge,  skills,  and 
experience  necessary  for  that  assignment.  Audit  organizations  should  have  a  process, 
such  as  a  human  capital  system,  for  recruitment,  hiring,  continuous  development,  and 
evaluation  of  staff  to  assist  the  organization  in  maintaining  a  workforce  that  has 
adequate  competence. 

3.11  The  competencies  discussed  below  apply  to  the  knowledge,  skills,  and 
experience  of  audit  organizations  as  a  whole  and  not  necessarily  to  each  individual 
auditor.  An  organization  may  need  to  employ  individuals  or  hire  subject  matter 
experts  who  are  knowledgeable,  skilled,  or  experienced  in  such  areas  as  accounting, 
statistics,  law,  engineering,  audit  design  and  methodology,  information  technology, 
public  administration,  economics,  social  sciences,  or  actuarial  science. 

Technical  Knowledge  and  Competence 

3.12  Staff  members  conducting  audits  and  attestation  engagements  under  GAGAS 
should  collectively  possess  the  technical  knowledge,  skills,  and  experience  necessary 
to  be  competent  for  the  type  of  work  being  performed  before  beginning  work  on  an 
assignment.  Auditors  should  possess 

a.  knowledge  of  government  auditing  standards  applicable  to  the  type  of  work  they 
are  assigned  and  the  education,  skills,  and  experience  to  apply  such  knowledge  to  the 
work  being  performed; 

b.  knowledge  of  the  specific  environment  in  which  the  audited  entity  operates  and 
the  subject  matter  under  review; 

c.  skills  to  communicate  clearly  and  effectively,  both  orally  and  in  writing;  and 

d.  skills  appropriate  for  the  work  being  performed.  For  example: 
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(1)  if  the  work  requires  use  of  statistical  sampling,  the  staff  or  consultants  to  the  staff 
should  include  persons  with  statistical  sampling  expertise; 

(2)  if  the  work  requires  extensive  review  of  information  systems,  the  staff  or 
consultants  to  the  staff  should  include  persons  with  information  technology  expertise; 

(3)  if  the  work  involves  review  of  complex  engineering  data,  the  staff  or  consultants 
to  the  staff  should  include  persons  with  engineering  expertise;  or 

(4)  if  the  work  involves  the  use  of  specialized  audit  methodologies  or  analytical 
techniques,  such  as  the  use  of  complex  survey  instruments,  actuarial-based  estimates, 
or  statistical  analysis  tests,  the  staff  or  consultants  to  the  staff  should  include  persons 
with  expertise  in  those  methodologies. 

3.13  The  following  additional  competencies  are  needed  for  financial  audits. 

a.  Auditors  should  be  knowledgeable  in  generally  accepted  accounting  principles  and 
the  AlCPA’s  generally  accepted  auditing  standards  for  field  work  and  reporting  and 
the  related  statements  on  the  standards  (SASs)  when  performing  a  financial  audit  and 
should  be  competent  in  applying  these  standards  and  SASs  to  the  task  assigned. 
Similarly,  when  performing  an  attestation  engagement,  auditors  should  be 
knowledgeable  in  the  AlCPA’s  general  attestation  standard  related  to  criteria,  and  the 
AlCPA’s  attestation  standards  for  field  work  and  reporting  and  the  related  statements 
on  the  standards  for  attestation  engagements  (SSAEs),  and  should  be  competent  in 
applying  these  standards  and  SSAEs  to  the  task  assigned. 

b.  Public  accountants  engaged  to  perform  financial  audits  or  attestation  engagements 
should  be  (a)  licensed  certified  public  accountants  or  persons  working  for  a  licensed 
certified  public  accounting  firm,  or  (b)  public  accountants  licensed  on  or  before 
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December  31,  1970,  or  persons  working  for  a  public  accounting  firm  licensed  on  or 
before  December  31,  1970.^ 

Continuing  Professional  Education 

3.14  Auditors  performing  work  under  GAGAS  need  to  maintain  their  professional 
competence  through  continuing  professional  education  (CPE).  Therefore,  each 
auditor  performing  work  under  GAGAS  should  complete,  every  2  years,  at  least  80 
hours  of  CPE  which  directly  contributes  to  the  auditor’s  professional  proficiency  to 
perform  such  work.  At  least  20  hours  should  be  completed  in  any  1  year  of  the  2-year 
period. 

3.15  Continuing  education  may  include  such  topics  as  developments  in  audit 
standards  and  methodology,  accounting,  assessment  of  internal  control,  principles  of 
management  or  supervision,  information  systems  management,  statistical  sampling, 
financial  statement  analysis,  evaluation  design,  and  data  analysis.  It  may  also  include 
subjeets  related  to  specific  fields  of  work,  such  as  public  administration,  public  policy 
and  structure,  industrial  engineering,  finanee,  economics,  social  sciences,  and 
information  technology. 

3.16  In  addition,  auditors  responsible  for  planning  or  directing  an  assignment, 
performing  substantial  portions  of  the  field  work,"^  or  reporting  on  the  assignment 
under  GAGAS  should  complete  at  least  24  of  the  80  hours  of  CPE  in  subjects  directly 
related  to  the  government  environment  and  to  government  auditing.  If  the  audited 
entity  operates  in  a  specific  or  unique  environment,  auditors  should  receive  CPE  that 
is  related  to  that  environment. 


^Accountants  and  accounting  firms  meeting  these  licensing  requirements  should  also  comply  with  the 
applicable  provisions  of  the  public  accountancy  law  and  rules  of  the  jurisdiction(s)  where  the  audit  is 
being  conducted  and  the  jurisdiction! s)  in  which  the  accountants  and  their  firms  are  licensed. 

''Auditors  are  considered  responsible  for  “conducting  substantial  portions  of  field  work”  when,  in  a 
given  CPE  year,  time  chargeable  to  audits  and  attestation  engagements  following  GAGAS  is  20 
percent  or  more  of  their  total  chargeable  time. 
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3.17  The  audit  organization  is  responsible  for  ensuring  that  auditors  meet  the 
continuing  education  requirements.  The  audit  organization  should  maintain 
documentation  of  the  CPE  completed.  GAO  has  developed  guidance  pertaining  to 
CPE  requirements  to  assist  auditors  and  audit  organizations  in  exercising  professional 
judgment  in  complying  with  the  CPE  requirements.^ 

3.18  External  consultants  and  internal  experts  and  specialists  should  be  qualified  and 
maintain  professional  competence  in  their  areas  of  expertise  and/or  specialization. 
However,  they  are  not  required  to  meet  the  above  CPE  requirements  unless  they  are 
responsible  for  following  GAGAS  in  planning  or  directing  the  assignment, 
performing  substantial  portions  of  field  work,  or  reporting  on  the  assignment. 


QUALITY  CONTROL  AND  ASSURANCE 

3.19  The  fourth  general  standard  is: 

Each  audit  organization  performing  assignments  in  accordance  with  GAGAS 
should  have  an  appropriate  internal  quality  control  system  in  place  and  should 
undergo  an  external  peer  review. 

3.20  The  internal  quality  control  system  established  by  the  audit  organization  should 
provide  reasonable  assurance  that  it  is  following  (1)  adequate  quality  control  policies 
and  procedures,  and  (2)  applicable  government  auditing  standards.  The  internal 
quality  control  system  should  include  procedures  for  monitoring,  on  an  ongoing  basis, 
whether  the  policies  and  procedures  related  to  the  standards  are  suitably  designed  and 
are  being  effectively  applied. 


^Interpretation  of  Continuing  Education  and  Training  Requirements.  April  1991,  Government  Printing 
Office  stock  number  020-000-00250-6. 
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3.21  The  nature  and  extent  of  an  audit  organization’s  internal  quality  control  system 
depends  on  a  number  of  factors,  such  as  its  size,  the  degree  of  operating  autonomy 
allowed  its  personnel  and  its  audit  offices,  the  nature  of  its  work,  its  organizational 
structure,  and  appropriate  cost-benefit  considerations.  Thus  the  systems  established 
by  individual  organizations  will  vary  as  will  the  need  for,  and  extent  of,  their 
documentation  of  the  systems.  However,  each  organization  should  prepare 
appropriate  documentation  to  demonstrate  compliance  with  its  policies  and 
procedures  for  its  system  of  quality  control. 

3.22  Audit  organizations  performing  assignments  in  accordance  with  GAGAS  should 
have  an  external  peer  review  conducted  at  least  once  every  3  years  by  reviewers 
independent  of  the  organization  being  reviewed.^  The  external  peer  review  should 
determine  whether  the  organization’s  internal  quality  control  system  is  in  place  and 
operating  effectively  to  provide  reasonable  assurance  that  established  policies  and 
procedures  and  applicable  government  auditing  standards  are  being  followed. 

3.23  An  external  peer  review  under  this  standard  should  meet  the  following 
requirements. 

a.  Individuals  conducting  peer  reviews  of  an  audit  organization’s  system  of  quality 
control  should  have  thorough  knowledge  of  GAGAS  and  of  the  government 
environment  relative  to  the  work  being  reviewed. 

b.  Reviewers  should  be  independent  (as  defined  in  GAGAS)  of  the  audit 
organization  being  reviewed,  its  staff,  and  the  assignments  selected  for  review.  An 
organization  is  not  permitted  to  review  the  organization  that  conducted  its  most  recent 
external  peer  review.  Also,  the  employing  organization  of  the  peer  reviewers  should 


^Audit  organizations  should  have  an  external  peer  review  conducted  within  3  years  from  the  date  they 
start  (that  is,  start  of  field  work)  their  first  assignment  in  accordance  with  GAGAS.  Subsequent 
external  peer  reviews  should  be  conducted  every  3  years.  Audit  organizations  should  generally 
maintain  their  review  year  from  review  to  review.  Any  extensions  of  these  time  frames  to  meet  the 
external  peer  review  requirements  can  only  be  granted  by  GAO  and  should  only  be  requested  for 
extraordinary  circumstances. 
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have  received  an  unqualified  opinion  on  the  review  of  their  organization’s  system  of 
quality  controls. 

c.  Reviewers  should  have  knowledge  and  training  on  how  to  perform  a  peer  review 
and  should  use  professional  judgment  in  conducting  and  reporting  the  results  of  the 
review. 

d.  This  review  should  include  a  review  of  the  organization’s  internal  quality  control 
policies  and  procedures,  reports,  audit  documentation,  and  other  necessary  documents 
(for  example,  independence  statements,  outside  employment  requests,  financial 
disclosure  reports,  and  CPE  documentation).  The  review  should  also  include  contacts 
with  various  levels  of  the  reviewed  organization’s  professional  staff  to  assess  their 
understanding  of  and  compliance  with  relevant  quality  control  policies  and 
procedures. 

e.  Reviewers  should  use  one  of  the  following  approaches  to  selecting  assignments  for 
review:  (1)  select  assignments  that  provide  a  reasonable  cross  section  of  the 
assignments  performed  by  the  reviewed  organization  in  accordance  with  GAGAS  or 
(2)  select  assignments  that  provide  a  reasonable  cross  section  of  the  reviewed 
organization’s  work  subject  to  quality  control  requirements,  including  one  or  more 
assignments  performed  in  accordance  with  GAGAS. 

f.  The  review  should  be  sufficiently  comprehensive  to  provide  a  reasonable  basis  for 
concluding  whether  the  reviewed  audit  organization’s  system  of  quality  control  was 
complied  with  to  provide  the  organization  with  reasonable  assurance  of  conforming 
with  professional  standards  in  the  conduct  of  its  work.  Reviewers  may  scale  back  the 
peer  review  procedures  based  on  the  reviewers’  evaluation  of  the  adequacy  and 
results  of  the  reviewed  organization’s  monitoring  efforts. 

g.  Reviewers  should  prepare  a  written  report(s)  communicating  the  results  of  the 
external  peer  review.  The  report  should  indicate  the  scope  of  the  review,  including 
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any  limitations  thereon,  and  should  express  an  opinion  on  whether  the  system  of 
quality  control  of  the  reviewed  organization  was  in  place  and  operating  effectively  to 
provide  reasonable  assurance  that  established  policies  and  procedures  and  applicable 
government  auditing  standards  are  followed.  The  report  should  also  describe  the 
reason(s)  for  any  modifications  to  the  opinion.  When  there  are  matters  that  resulted 
in  a  modification  to  the  standard  report,  reviewers  should  report  a  detailed  description 
of  the  findings  and  recommendations  to  enable  the  reviewed  organization  to  take 
appropriate  actions.  To  help  users  of  the  peer  review  report  understand  the  peer 
review  process,  each  report  should  be  accompanied  by  an  attachment  describing  the 
process,  including  how  peer  reviews  are  planned  and  performed. 

3.24  Audit  organizations  seeking  to  enter  into  a  contract  to  perform  an  assignment  in 
accordance  with  GAGAS  should  provide  their  most  recent  external  peer  review 
report^  to  the  party  contracting  for  the  audit  or  attestation  engagement.  Information  in 
the  external  peer  review  report  often  would  be  relevant  to  decisions  on  procuring 
audit  or  attestation  engagement  services. 

3.25  Auditors  who  are  relying  on  another  audit  organization’s  work  should  request  a 
copy  of  the  audit  organization’s  peer  review  report,  and  the  audit  organization  should 
provide  the  peer  review  report  when  requested.  Audit  organizations  also  should 
transmit  their  external  peer  review  reports  to  appropriate  oversight  bodies.  It  is  also 
recommended  that  the  report  be  made  available  to  the  public  in  a  timely  manner. 


’The  term  “report”  does  not  include  separate  letters  of  comment. 
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CHAPTER  4 


FIF.l.n  WORK  STANDARDS  FOR  FIN ANC1AI ,  AI JHITS 


INTRODI JCTION 

4.1  Generally  accepted  government  auditing  standards  (GAGAS)  incorporate  the  American  Institute 
of  Certified  Public  Accountants'  (AlCPA)  generally  accepted  field  work  standards  for  audits  and  the 
related  AlCPA  Statements  on  Auditing  Standards  (SASs)  unless  the  Comptroller  General  of  the 
United  States  excludes  them  by  formal  announcement.'  This  chapter  identifies  the  AlCPA  field 
work  standards  and  prescribes  additional  standards  for  applying  the  AlCPA  field  work  standards  for 
financial  audits  performed  in  accordance  with  GAGAS.  This  chapter  concludes  with  guidance  that 
auditors  should  give  eonsideration  to  when  performing  financial  audits  in  accordance  with  GAGAS. 

4.2  Finaneial  audits  eonsist  of  all  work  performed  under  the  AlCPA's  generally  accepted  auditing 
standards  and  governed  by  the  AlCPA  SASs,  whieh  interpret  the  standards.  Such  work  performed  in 
a  government  environment  primarily  ineludes  audits  of  financial  statements.  The  SASs  also  govern 
other  types  of  services  whieh  may  also  be  performed  in  a  government  environment,  such  as 
compliance  auditing,  issuing  special  reports,  audits  of  service  organizations,  reviews  of  interim 


'To  date,  the  Comptroller  General  has  not  excluded  any  field  work  standards  or  statements  on  auditing  standards. 

^The  term  "financial  statement"  refers  to  a  presentation  of  financial  data,  including  accompanying  notes,  derived  Ifom 
accounting  records  and  intended  to  communicate  an  entity's  economic  resources  or  obligations  at  a  point  in  time  or  the 
changes  therein  for  a  period  of  time  in  conformity  with  an  identifiable  framework,  such  as  generally  accepted  accounting 
principles  (GAAP)  or  an  other  comprehensive  basis  of  accounting  (OCBOA).  Audits  of  financial  statements  include  all 
services  governed  by  the  AlCPA's  SASs  for  which  the  auditors  are  engaged  to  provide  a  level  of  assurance  on  the  fair 
presentation  of  financial  statements  in  accordance  with  a  stated  criteria. 

^Special  reports  apply  to  auditors'  reports  issued  in  connection  with  the  following:  (1)  financial  statements  that  are 
prepared  in  conformity  with  a  comprehensive  basis  of  accounting  other  than  generally  accepted  accounting  principles;  (2) 
specified  elements,  accounts,  or  items  of  a  financial  statement;  (3)  compliance  with  aspects  of  contractual  agreements  or 
regulatory  requirements  related  to  audited  financial  statements;  (4)  financial  presentations  to  comply  with  contractual 
agreements  or  regulatory  provisions;  or  (5)  financial  information  presented  in  prescribed  forms  or  schedules  that  require  a 
prescribed  form  of  auditor's  report. 
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financial  information,  and  issuing  letters  to  underwriters  and  eertain  other  requesting  parties.  These 
other  serviees  may  be  performed  in  eonjunction  with  an  audit  of  fmaneial  statements. 


FlRl.n  WORK  STANDARDS 

4.3  The  three  AlCPA  generally  aeeepted  standards  of  field  work  are  as  follows. 

a.  The  work  is  to  be  adequately  planned,  and  assistants,  if  any,  are  to  be  properly  supervised. 

b.  A  sufllcient  understanding  of  internal  control  is  to  be  obtained  to  plan  the  audit  and  to 
determine  the  nature,  timing,  and  extent  of  tests  to  be  performed. 

c.  Sufficient  competent  evidential  matter  is  to  be  obtained  through  inspection,  observation, 
inquiries,  and  confirmations  to  afford  a  reasonable  basis  for  an  opinion  regarding  the  financial 
statements  under  audit. 


AnniTIONAI  .  GAGAS  FIFI  .n 
WORK  STANDARDS 

4.4  GAGAS  prescribe  additional  standards  for  applying  the  AlCPA  three  generally  accepted  AlCPA 
field  work  standards  which  go  beyond  the  requirements  contained  in  the  AlCPA's  SASs.  Auditors 
must  comply  with  these  additional  standards  when  citing  GAGAS  in  their  audit  reports.  The 
additional  GAGAS  relate  to 

a.  auditor  communication  (see  paragraphs  4.6  through  4.13), 

b.  considering  the  results  of  previous  audits  (see  paragraphs  4. 14  through  4. 16), 
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c.  noncompliance  with  provisions  of  contracts  and  grants  (see  paragraphs  4.17  through  4.19),  and 


d.  audit  documentation  (see  paragraphs  4.20  through  4.24). 

4.5  This  chapter  concludes  with  guidance  auditors  should  give  consideration  to  when  performing 
financial  audits  in  accordance  with  GAGAS  for  the  following  areas: 

a.  audit  risk  and  materiality  (see  paragraphs  4.26  and  4.27), 

b.  internal  control  over  safeguarding  of  assets  (see  paragraphs  4.28  through  4.33), 

c.  internal  control  over  compliance  (see  paragraphs  4.34  through  4.36),  and 

d.  professional  judgment  concerning  possible  fraud  and  illegal  acts  (see  paragraphs  4.37  through 
4.39). 

AUDITOR  rOMMUNICATION 

4.6  An  additional  standard  related  to  auditor  communication  for  financial  audits  performed  in 
accordance  with  GAGAS  is: 

Auditors  should  communicate  information  regarding  the  nature  of  services  and  level  of 
assurance  provided  to  not  only  officials  of  the  audited  entity,  but  also  to  the  individuals 
contracting  for  or  requesting  the  audit  services,  and  the  audit  committee  or  other  equivalent 
oversight  body. 

4.7  AlCPA  standards  and  GAGAS  require  auditors  to  establish  an  understanding  with  the  client  and 
to  communicate  with  audit  committees.  GAGAS  broaden  the  parties  with  whom  auditors  must 
communicate  with  during  the  planning  stages  of  a  financial  audit  to  reduce  the  risk  that  the  needs  or 
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expectations  of  the  parties  involved  may  be  misinterpreted.  Auditors  should  use  their  professional 
judgment  to  determine  the  form,  content,  and  frequency  of  the  communication,  although  written 
communication  is  preferred,  and  should  document  the  communication.  Auditors  may  use  an 
engagement  letter,  if  appropriate,  to  communicate  the  information. 

4.8  Auditors  should  communicate  their  responsibilities  for  the  engagement  to  the  appropriate 
officials  of  the  audited  entity,  which  may  include 

a.  the  head  of  the  audited  entity, 

b.  the  audit  committee  or  board  of  directors  or  other  equivalent  oversight  body  in  the  absence  of  an 
audit  committee,  and 

c.  the  individual  who  possesses  a  sufficient  level  of  authority  and  responsibility  for  the  financial 
reporting  process,  such  as  the  chief  financial  officer. 

4.9  In  situations  where  auditors  are  performing  the  audit  under  a  contract  with  a  party  other  than  the 
officials  of  the  audited  entity,  or  pursuant  to  a  third-party  request,  auditors  should  also  communicate 
with  the  individuals  contracting  for  or  requesting  the  audit,  such  as  contracting  officials  or  legislative 
members  or  staff.  When  auditors  are  performing  the  audit  pursuant  to  a  law  or  regulation,  auditors 
should  communicate  with  the  legislative  members  or  staff  who  have  oversight  of  the  auditee."^ 
Auditors  should  coordinate  communications  with  the  responsible  government  audit  organization 
and/or  management  of  the  audited  entity,  and  may  use  the  engagement  letter  to  keep  interested 
parties  informed. 

4.10  In  communicating  the  nature  of  services  and  level  of  assurance  provided,  auditors  should 
specifically  address  their  planned  work  related  to  testing  compliance  with  laws  and  regulations  and 

"'This  requirement  applies  only  to  situations  where  the  law  or  regulation  specifically  identifies  the  entity  to  be  audited, 
such  as  an  audit  of  a  specific  agency’s  financial  statements  required  by  the  Chief  Financial  Officers  Act,  as  expanded  by 
the  Government  Management  Reform  Act  of  1994.  Situations  where  the  audit  of  financial  statements  mandate  applies  to 
entities  not  specifically  identified,  such  as  audits  required  by  the  Single  Audit  Act  Amendments  of  1996,  are  excluded. 
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internal  control  over  financial  reporting.  During  the  planning  stages  of  an  audit,  auditors  should 
communicate  their  responsibilities  for  testing  and  reporting  on  compliance  with  laws  and  regulations 
and  internal  control  over  financial  reporting.  Such  communication  should  include  the  nature  of  any 
additional  testing  of  compliance  and  internal  control  required  by  laws  and  regulations  or  otherwise 
requested,  and  whether  the  auditors  are  planning  on  providing  opinions  on  compliance  with  laws  and 
regulations  and  internal  control  over  financial  reporting. 

4.11  To  assist  in  understanding  the  limitations  of  auditors'  responsibilities  for  testing  and  reporting 
on  compliance  and  internal  control  over  financial  reporting,  auditors  may  want  to  contrast  those 
responsibilities  with  other  audits  of  compliance  and  controls.  The  discussion  in  paragraphs  4.12  and 
4.13  may  be  helpful  to  auditors  in  explaining  their  responsibilities  for  testing  and  reporting  on 
compliance  with  laws  and  regulations  and  internal  control  over  financial  reporting  to  officials  of  the 
audited  entity  and  other  interested  parties. 

4.12  Tests  of  complianee  with  laws  and  regulations  and  internal  control  over  financial  reporting  in  a 
financial  audit  contribute  to  the  evidenee  supporting  the  auditors'  opinion  on  the  financial  statements 
or  other  conelusions  regarding  fmaneial  data.  However,  such  tests  generally  are  not  sufficient  in 
scope  to  opine  on  eomplianee  or  internal  eontrol  over  financial  reporting.  To  meet  certain  audit 
report  users'  needs,  laws  and  regulations  sometimes  prescribe  testing  and  reporting  on  compliance 
and  internal  control  over  financial  reporting  to  supplement  coverage  of  these  areas.^ 

4.13  Even  after  auditors  perform  and  report  the  results  of  additional  tests  of  compliance  and  internal 
control  over  financial  reporting  required  by  laws  and  regulations,  some  reasonable  needs  of  report 
users  still  may  be  unmet.  Auditors  may  meet  these  needs  by  performing  further  tests  of  compliance 


^For  example,  when  engaged  to  perform  audits  under  the  Single  Audit  Act  Amendments  of  1996  for  state  and  local 
government  entities  and  nonprofit  entities  that  receive  federal  awards,  auditors  should  be  familiar  with  the  Office  of 
Management  and  Budget  (OMB)  Circular  A- 133  on  single  audits.  The  act  and  circular  include  specific  audit 
requirements,  mainly  in  the  areas  of  compliance  with  laws  and  regulations  and  internal  control,  that  exceed  the  minimum 
audit  requirements  in  the  standards  in  chapters  4  and  5  of  this  document.  Audits  conducted  under  the  Chief  Financial 
Officers  Act  of  1990,  as  expanded  by  the  Government  Management  Reform  Act  of  1994,  also  have  specific  audit 
requirements  prescribed  by  OMB  in  the  areas  of  compliance  and  internal  control.  Many  state  and  local  governments 
have  additional  audit  requirements. 


45 


GAO-02-340G  Government  Auditing  Standards  Exposure  Draft 


and  internal  control  in  either  of  two  ways:^ 


a.  supplemental  (or  agreed-upon)  procedures  or 


b.  examination,  resulting  in  an  opinion. 


CONSinERlNG  THF.  RF.SI  JI  TS 
OF  PREVIOUS  AIiniTS 

4.14  An  additional  standard  for  financial  audits  performed  in  accordance  with  GAGAS  is: 

Auditors  should  consider  the  results  of  previous  audits  and  follow  up  on  known  significant 
findings  and  recommendations,  including  those  related  to  reportable  conditions,  identified  in 
previous  audits  reports  that  relate  to  the  objectives  of  the  audit  being  undertaken. 

4.15  Auditors  should  perform  such  follow-up  to  determine  whether  officials  of  the  audited  entity 
have  taken  appropriate  corrective  actions.  In  addition  to  following  up  on  significant  reported 
findings  and  recommendations  from  previous  financial  audits,  auditors  should  consider  significant 
findings  identified  in  attestation  engagements,  performance  audits,  or  other  studies  if  these  findings 
could  materially  affect  the  results  of  the  financial  audit.  For  example,  an  audit  report  on  an  entity’s 
computerized  information  systems  may  contain  significant  findings  that  could  relate  to  the  financial 
audit  if  the  entity  uses  such  systems  to  process  its  accounting  information.  In  any  event,  auditors 
need  to  make  judgments  about  the  extent  of  follow-up  needed  and  the  appropriate  disclosure  of 
uncorrected  significant  findings  and  recommendations  from  prior  audits  that  affect  the  audit 
objectives. 


^Such  work  is  generally  performed  under  the  AICPA’s  Statements  on  Standards  for  Attestation  Engagements.  See 
chapter  6  for  a  discussion  of  the  standards  used  when  performing  attestation  engagements. 

^Significant  findings  and  recommendations  are  those  matters  that,  if  not  corrected,  could  affect  the  results  of  the  auditors' 
work  and  users'  conclusions  about  those  results. 
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4.16  Providing  continuing  attention  to  significant  findings  and  recommendations  is  important  to 
ensure  that  the  benefits  of  audit  work  are  realized.  Ultimately,  the  benefits  of  audit  work  occur  when 
audit  findings  are  resolved  through  meaningful  and  effective  corrective  action  taken  in  response  to 
the  auditors’  findings  and  recommendations.  Officials  of  the  audited  entity  are  responsible  for 
resolving  audit  findings  and  recommendations  directed  to  them,  and  for  having  a  process  to  track 
their  status.  If  officials  of  the  audited  entity  do  not  have  such  a  process,  auditors  may  wish  to 
establish  their  own  process. 


NONCOMPl  lANCF.  WITH  PROVISIONS  OF 
CONTRACTS  ANO  GRANT  ArTRF.F.MF.NTS 

4.17  The  additional  standard  related  to  compliance  with  provisions  of  contracts  and  grant 
agreements  for  financial  audits  performed  in  accordance  with  GAGAS  is: 

Auditors  should  design  the  audit  to  provide  reasonable  assurance  of  detecting  material 
misstatements  of  financial  statements  or  other  financial  data  resulting  from  noncompliance 
with  provisions  of  contracts  or  grant  agreements  that  have  a  direct  and  material  effect  on  the 
determination  of  financial  statement  amounts.  If  specific  information  comes  to  the  auditors' 
attention  that  provides  evidence  concerning  the  existence  of  possible  noncompliance  that  could 
affect  financial  data  significant  to  the  audit  objectives  or  that  could  have  a  material  indirect 
effect  on  the  financial  statements,  auditors  should  apply  audit  procedures  specifically  directed 
to  ascertaining  whether  noncompliance  has  occurred  or  is  likely  to  have  occurred. 

4.18  AlCPA  standards  and  GAGAS  require  auditors  to  assess  the  risk  of  material  misstatements  of 
financial  statements  due  to  fraud  and  should  consider  that  assessment  in  designing  the  audit 
procedures  to  be  performed.  Auditors  are  also  required  to  design  the  audit  to  provide  reasonable 
assurance  of  detecting  material  misstatements  resulting  from  direct  and  material  illegal  acts  to  be 

’^Two  types  of  misstatements  are  relevant  to  the  auditors’  consideration  of  fraud  in  an  audit  of  financial  statements — 
misstatements  arising  from  fraudulent  financial  statements  and  misstatements  arising  from  misappropriation  of 
assets.  The  primary  factor  that  distinguishes  fraud  from  error  is  whether  the  underlying  action  that  results  in  the 
misstatement  in  the  financial  statements  is  intentional  or  unintentional. 
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aware  of  the  possibility  that  indirect  illegal  acts  may  have  occurred.  Under  GAGAS,  the  term 
noncompliance,  however,  has  a  broader  meaning  than  fraud  and  illegal  acts.  Noncompliance 
includes  not  only  fraud  and  illegal  acts,  but  also  violations  of  provisions  of  contracts  or  grant 
agreements. 

4.19  Under  GAGAS,  auditors  have  the  same  responsibilities  for  detecting  material  misstatements 
arising  from  other  types  of  noncompliance  as  they  do  for  detecting  those  arising  from  fraud  and 
illegal  acts.  Direct  and  material  noncompliance  is  noncompliance  having  a  direct  and  material  effect 
on  the  determination  of  financial  statement  amounts  or  could  have  a  significant  effect  on  other 
financial  data  needed  to  achieve  audit  objectives.  Auditors  should  design  the  audit  to  provide 
reasonable  assurance  of  detecting  material  misstatements  resulting  from  direct  and  material 
noncompliance  with  provisions  of  contracts  or  grant  agreements.  Indirect  noncompliance  is 
noncompliance  having  material  but  indirect  effects  on  financial  statements  or  other  financial  data 
needed  to  achieve  audit  objeetives.  If  speeifie  information  comes  to  the  auditors'  attention  that 
provides  evidenee  eoneeming  the  existenee  of  possible  noncompliance  that  could  have  a  material 
indirect  effect  on  the  fmaneial  statements  or  signifieant  indirect  effect  on  other  financial  data  need  to 
achieve  audit  objeetives,  auditors  should  apply  audit  proeedures  specifically  directed  to  ascertaining 
whether  that  noncomplianee  has  oeeurred  or  is  likely  to  have  occurred. 


Ai  iniT  non  imf.ntation 


4.20  An  additional  standard  related  to  audit  documentation  for  financial  audits  performed  in 
accordance  with  GAGAS  is: 

Audit  documentation  should  contain  sufficient  information  to  enable  an  experienced  reviewer, 
who  has  had  no  previous  connection  with  the  audit,  to  ascertain  from  the  audit  documentation 
the  evidence  that  supports  the  auditors’  significant  judgments  and  conclusions.  Audit 
documentation  that  supports  significant  findings,  conclusions,  and  recommendations  should  be 
complete  before  auditors  issue  their  report. 
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4.21  AlCPA  standards  and  GAGAS  require  auditors  to  prepare  and  maintain  audit  doeumentation. 
The  form  and  eontent  of  audit  doeumentation  should  be  designed  to  meet  the  eireumstances  of  the 
particular  audit.  The  information  contained  in  audit  documentation  constitutes  the  principal  record 
of  the  work  that  the  auditors  have  perfonned  and  the  conclusions  that  the  auditors  have  reached.  The 
quantity,  type,  and  content  of  audit  documentation  is  a  matter  of  the  auditors'  professional  judgment. 
However,  audits  performed  in  accordance  with  GAGAS  are  subject  to  review  by  other  reviewers 
and  by  oversight  officials  more  frequently  than  audits  done  in  accordance  with  AlCPA  standards. 
Thus,  whereas  AlCPA  standards  cite  two  main  purposes  of  audit  documentation— providing  the 
principal  support  for  the  audit  report  and  aiding  auditors  in  performing  and  supervising  the  audit- 
audit  documentation  serves  an  additional  purpose  in  audits  performed  in  accordance  with  GAGAS. 
Audit  documentation  allows  for  the  review  of  audit  quality  by  providing  the  reviewer  documentation, 
either  in  written  or  electronic  formats,  of  the  evidence  supporting  the  auditors'  significant  judgments 
and  conclusions. 

4.22  Audit  documentation  for  financial  audits  performed  under  GAGAS  should  contain  the 
following. 

a.  The  objectives,  scope,  and  methodology,  including  sampling  and  other  selection  criteria  used. 

b.  Documentation  of  the  auditor’s  determination  that  certain  additional  government  auditing 
standards  do  not  apply  or  that  an  applicable  standard  was  not  followed,  the  reasons  therefore,  and  the 
known  effect  that  not  following  the  standard  had,  or  could  have,  on  the  audit. 

c.  Documentation  of  the  work  performed  to  support  significant  judgments  and  conclusions, 
including  descriptions  of  transactions  and  records  examined  that  would  enable  an  experienced 

g 

reviewer  to  examine  the  same  transactions  and  records. 

d.  Auditors'  basis  for  assessing  control  risk  at  the  maximum  level  for  assertions  related  to  material 

Auditors  may  meet  this  requirement  by  listing  voucher  numbers,  check  numbers,  or  other  means  of  identifying  specific 
documents  they  examined.  Auditors  are  not  required  to  include  copies  of  documents  they  examined  as  part  of  the  audit 
documentation,  nor  are  auditors  required  to  list  detailed  information  from  those  documents. 
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account  balances,  transaction  classes,  and  disclosure  components  of  financial  statements  when  such 
assertions  are  significantly  dependent  upon  computerized  information  systems  by  addressing  (1)  the 
ineffectiveness  of  the  design  and/or  operation  of  the  controls,  or  (2)  the  reasons  why  it  would  be 
inefficient  to  test  the  controls. 

e.  The  consideration  that  the  planned  audit  procedures  are  designed  to  achieve  audit  objectives  when 
evidential  matter  obtained  is  highly  dependent  on  computerized  information  systems  and  is  material 
to  the  audit  objective,  and  the  auditors  are  not  relying  on  the  effectiveness  of  internal  control  over 
those  computerized  systems  that  produced  the  information.  The  audit  documentation  should 
specifically  address  (1)  the  rationale  for  determining  the  nature,  timing,  and  extent  of  planned  audit 
procedures;  (2)  the  kinds  and  competence  of  available  evidential  matter  produced  outside  a 
computerized  information  system;  and  (3)  the  effect  on  the  audit  report  if  evidential  matter  to  be 
gathered  does  not  afford  a  reasonable  basis  to  achieve  the  audit  objectives.’*^ 

f.  Evidenee  of  supervisory  reviews  of  the  work  performed. 

4.23  Underlying  GAGAS  audits  is  that  federal,  state,  and  local  governments  and  other  organizations 
cooperate  in  auditing  programs  of  eommon  interest  so  that  auditors  may  use  others'  work  and  avoid 
duplicate  audit  efforts.  In  addition,  audits  performed  in  accordance  with  GAGAS  are  subject  to 
quality  control  and  assurance  reviews.  Auditors  should  make  arrangements  to  make  audit 
documentation  available,  upon  request,  in  a  timely  manner  to  other  auditors  or  reviewers. 

Contractual  arrangements  for  GAGAS  audits  should  provide  for  full  and  timely  access  to  audit 
documentation  to  facilitate  relianee  by  other  auditors  on  the  auditors'  work,  as  well  as  reviews  of 
audit  quality  control  and  assurance. 

4.24  Audit  organizations  should  establish  reasonable  policies  and  procedures  for  the  safe  custody 
and  retention  of  audit  documentation  for  a  time  sufficient  to  satisfy  legal  and  administrative 
requirements.  If  audit  documentation  is  only  retained  electronically,  the  audit  organization  should 
ensure  that  the  electronic  documentation  is  capable  of  being  accessed  throughout  the  specified 

'°This  documentation  requirement  does  not  increase  the  auditors’  responsibility  for  testing  internal  control  but  is  intended 
to  assist  the  auditor  in  ensuring  that  audit  objectives  are  met  and  audit  risk  is  reduced  to  an  acceptable  level, 
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retention  period  established  for  audit  documentation  and  is  safeguarded  through  sound  computer 
security. 


AnniTIONAT  .  CONSinFRATIONS 
FOR  FINANCIAI.  AIiniTS  PF.RFORMF.n 
IN  ACrORnANCF  WITH  GAGAS 

4.25  As  discussed  in  chapter  1,  financial  audits  contribute  to  making  governments  more  accountable 
for  the  use  of  public  resources  and  the  delivery  of  services.  Because  of  the  increased  accountability 
associated  with  government  audits,  auditors  performing  financial  audits  in  accordance  with  GAGAS 
should  consider  the  following  guidance  related  to  audit  risk  and  materiality  (see  paragraphs  4.26  and 
4.27),  internal  control  over  safeguarding  of  assets  (see  paragraphs  4.28  through  4.33),  internal 
control  over  complianee  (see  paragraphs  4.34  through  4.36),  and  professional  judgment  concerning 
possible  fraud  and  illegal  aets  (see  paragraphs  4.37  and  4.39). 

Audit  Risk  and  Materiality 

4.26  The  AICPA  standards  and  GAGAS  require  that  the  work  is  to  be  properly  planned,  and 
auditors  should  consider  audit  risk  and  materiality,  among  other  matters,  in  determining  the  nature, 
timing,  and  extent  of  auditing  procedures  and  in  evaluating  the  results  of  those  procedures. 

Auditors’  consideration  of  audit  risk  and  materiality  is  a  matter  of  professional  judgment  and  is 
influenced  by  their  perception  of  the  needs  of  a  reasonable  person  who  will  rely  on  the  financial 
statements.  Materiality  judgments  are  made  in  light  of  surrounding  circumstances  and  necessarily 
involve  both  quantitative  and  qualitative  considerations. 

4.27  In  an  audit  of  a  government  entity  or  an  entity  that  receives  government  assistance,  auditors 
may  need  to  set  lower  materiality  levels  than  in  audits  in  the  private  sector  because  of  the  public 
accountability  of  the  audited  entity,  the  various  legal  and  regulatory  requirements,  and  the  visibility 
and  sensitivity  of  government  programs,  activities,  and  functions. 


51 


GAO-02-340G  Government  Auditing  Standards  Exposure  Draft 


Internal  Control  Over 
Safegnarding  of  Assets 


4.28  Safeguarding  of  assets  is  an  internal  control  objective,  that  is  especially  important  in 
performing  financial  audits  of  governmental  entities  or  others  receiving  government  funds.”  Given 
the  public  accountability  for  stewardship  of  resources,  safeguarding  of  assets  permeates  control 
objectives  and  components  as  defined  by  the  AlCPA  standards  and  GAGAS. 

4.29  As  applied  to  financial  audits,  internal  control  over  safeguarding  of  assets  constitutes  a  process, 
effected  by  an  entity's  governing  body,  management,  and  other  personnel  designed  to  provide 
reasonable  assurance  regarding  prevention  or  timely  detection  of  unauthorized  acquisition,  use,  or 
disposition  of  the  entity's  assets  that  could  have  a  material  effect  on  the  financial  statements. 

4.30  Internal  control  over  the  safeguarding  of  assets  relates  to  the  prevention  or  timely  detection  of 
unauthorized  transactions  and  unauthorized  access  to  assets  that  could  result  in  losses  that  are 
material  to  the  financial  statements,  such  as  when  unauthorized  expenditures  or  investments  are 
made,  unauthorized  liabilities  are  incurred,  inventory  is  stolen,  or  assets  are  converted  to  personal 
use.  Such  controls  are  designed  to  help  ensure  the  use  of  and  access  to  assets  are  in  accordance  with 
management's  authorization.  Authorization  includes  approval  of  transactions  in  accordance  with 
control  activities  established  by  management  to  safeguard  assets,  such  as  establishing  and  complying 
with  requirements  for  extending  and  monitoring  credit  or  making  investment  decisions,  and  related 
documentation.  Control  over  safeguarding  of  assets  is  not  designed  to  protect  against  loss  of  assets 
arising  from  inefficiency  or  from  management's  operating  decisions,  such  as  incurring  expenditures 
for  equipment  or  material  that  proves  to  be  unnecessary  or  unsatisfactory. 

4.31  AlCPA  standards  and  GAGAS  require  auditors  to  obtain  a  sufficient  understanding  of  internal 
control  to  plan  the  audit.  They  also  require  auditors  to  plan  the  audit  to  provide  reasonable  assurance 
of  detecting  material  fraud,  including  material  misappropriation  of  assets.  Because  preventing  or 


'  'Auditors  should  apply  the  guidance  contained  in  this  section  to  other  types  of  financial  audits  to  the  extent  it  is 
applicable  to  the  nature  of  the  engagement. 
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detecting  material  misappropriations  is  an  objective  of  control  over  safeguarding  of  assets, 
understanding  this  type  of  control  can  be  essential  to  planning  the  audit. 

4.32  Control  over  safeguarding  of  assets  is  not  limited  to  preventing  or  detecting  misappropriations. 
It  also  helps  prevent  or  detect  other  material  losses  that  could  result  from  unauthorized  acquisition, 
use,  or  disposition  of  assets.  Such  controls  include,  for  example,  the  process  of  assessing  the  risk  of 
unauthorized  acquisition,  use,  or  disposition  of  assets  and  establishing  control  activities  to  help 
ensure  that  management  directives  to  address  the  risk  are  carried  out.  Such  control  activities  would 
include  permitting  acquisition,  use,  or  disposition  of  assets  only  in  accordance  with  management's 
general  or  specific  authorization,  including  compliance  with  established  control  activities  for  such 
acquisition,  use,  or  disposition.  They  would  also  include  comparing  existing  assets  with  the  related 
records  at  reasonable  intervals  and  taking  appropriate  action  with  respect  to  any  differences.  Finally, 
controls  over  safeguarding  of  assets  against  unauthorized  acquisition,  use,  or  disposition  also  relate 
to  making  available  to  management  information  it  needs  to  carry  out  its  responsibilities  related  to 
prevention  or  timely  detection  of  such  unauthorized  activities,  as  well  as  mechanisms  to  enable 
management  to  monitor  the  continued  effective  operation  of  such  controls. 

4.33  Understanding  the  control  over  safeguarding  of  assets  can  help  auditors  assess  the  risk  that 
financial  statements  could  be  materially  misstated.  For  example,  an  understanding  of  the  audited 
entity’s  control  over  the  safeguarding  of  assets  can  help  auditors  recognize  risk  factors  such  as 

a.  failure  to  adequately  monitor  decentralized  operations; 

b.  lack  of  control  over  activities,  such  as  lack  of  separation  of  duties  or  approval  for  major 
transactions; 

c.  lack  of  control  over  computerized  information  systems,  such  as  a  lack  of  control  over  access  to 
applications  that  initiate  or  control  the  movement  of  assets; 
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d.  failure  to  develop  or  communicate  adequate  control  activities  for  security  of  data  or  assets,  such 
as  allowing  unauthorized  personnel  to  have  ready  access  to  data  or  assets;  and 

e.  failure  to  investigate  significant  unreconciled  differences  between  reconciliations  of  a  control 
account  and  subsidiary  records. 

Internal  Control  Over  Compliance 

4.34  Governmental  entities  are  subject  to  a  variety  of  laws  and  regulations  that  affect  their  financial 
statements  or  other  financial  data,  which  is  a  major  factor  distinguishing  governmental  accounting 
from  private-sector  accounting.  For  example,  such  laws  and  regulations  may  address  the  required 
fund  structure,  procurement  or  debt  limitations,  or  authority  for  transactions.  Accordingly, 
compliance  with  such  laws  and  regulations  may  have  a  direct  and  material  effect  on  the 
determination  of  amounts  in  the  finaneial  statements  of  governmental  entities.  Likewise,  entities  that 
receive  government  assistanee,  sueh  as  eontraetors,  nonprofit  entities,  and  other  nongovernmental 
entities,  are  also  subjeet  to  regulations,  eontraet  provisions,  or  grant  agreements  that  could  have  a 
direct  and  material  effeet  on  their  finaneial  statements.  Management,  of  both  governmental  entities 
and  others  reeeiving  governmental  assistanee,  is  responsible  for  ensuring  that  the  entity  complies 
with  not  only  the  laws  and  regulations  but  also  eontraet  provisions  and  grant  agreements  applicable 
to  its  activities.  That  responsibility  encompasses  the  identification  of  applicable  laws,  regulations, 
contract  provisions,  and  grant  agreements,  as  well  as  the  establishment  of  controls  designed  to 
provide  reasonable  assuranee  that  the  entity  complies  with  those  laws,  regulations,  contract 
provisions,  and  grant  agreements. 

4.35  AlCPA  standards  and  GAGAS  require  auditors  to  design  the  audit  to  provide  reasonable 
assurance  that  the  financial  statements  are  free  of  material  misstatements  resulting  from 
noncompliance  that  have  a  direct  and  material  effect  on  the  determination  of  financial  statement 
amounts.  To  meet  this  requirement,  auditors  should  have  an  understanding  of  internal  control 
relevant  to  financial  statement  assertions  affected  by  those  laws,  regulations,  contract  provisions,  or 
grant  agreements.  Auditors  may  find  it  necessary  to  use  the  work  of  legal  counsel  in  (1)  determining 
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which  laws  and  regulations  might  have  a  direct  and  material  effect  on  the  financial  statements,  (2) 
designing  tests  of  compliance  with  laws  and  regulations,  and  (3)  evaluating  the  results  of  those 
tests. Auditors  also  may  find  it  necessary  to  use  the  work  of  legal  counsel  when  an  audit  requires 
testing  compliance  with  provisions  of  contracts  or  grant  agreements.  Depending  on  the 
circumstances  of  the  audit,  auditors  may  find  it  necessary  to  obtain  information  on  compliance 
matters  from  others,  such  as  investigative  staff,  audit  organizations,  and  officials  of  government 
entities  that  provided  assistance  to  the  audited  entity,  and/or  the  applicable  law  enforcement 
authority. 

4.36  AlCPA  standards  and  GAGAS  require  that  auditors  use  their  understanding  of  internal  control 
relevant  to  financial  statement  assertions  affected  by  laws  and  regulations  to  identify  types  of 
potential  misstatements,  consider  factors  that  affect  the  risk  of  material  misstatement,  and  design 
substantive  tests.  GAGAS  extends  this  requirement  to  include  contract  provisions  and  grant 
agreements.  In  applying  this  requirement,  the  following  factors  may  influence  the  auditors' 
assessment  of  control  risk: 

a.  management's  awareness  or  lack  of  awareness  of  applicable  laws,  regulations,  contract  provisions, 
or  grant  agreements; 

b.  policy  of  the  audited  entity  regarding  such  matters  as  acceptable  operating  practices  and  codes  of 
conduct;  and 

c.  assignment  of  responsibility  and  delegation  of  authority  to  deal  with  such  matters  as 
organizational  goals  and  objectives,  operating  functions,  and  regulatory  requirements. 


AICPA  standards  provide  guidance  for  auditors  who  use  the  work  of  a  specialist  who  is  not  a  member  of  their  staff. 
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Professional  Judgment  Concerning 
Possible  Fraud  and  Illegal  Acts 


4.37  Under  AlCPA  standards  and  GAGAS,  auditors  are  responsible  for  being  aware  of  the 
characteristics  and  types  of  potentially  material  fraud  that  could  be  associated  with  the  area  being 
audited  so  that  they  can  plan  the  audit  to  provide  reasonable  assurance  of  detecting  material 
misstatements  of  the  financial  statements  due  to  fraud. 

4.38  Auditors  should  exercise  professional  judgment  in  pursuing  indications  of  possible  fraud  and 
illegal  acts  so  as  not  to  interfere  with  potential  future  investigations,  legal  proceedings,  or  both. 
Under  some  circumstances,  laws,  regulations,  or  policies  may  require  auditors  to  report  indications 
of  certain  types  of  fraud  or  illegal  acts  to  law  enforcement  or  investigatory  authorities  before 
extending  audit  steps  and  procedures.  Auditors  may  also  be  required  to  withdraw  from  or  defer 
further  work  on  the  audit  or  a  portion  of  the  audit  in  order  not  to  interfere  with  an  investigation. 

4.39  An  audit  made  in  accordance  with  GAGAS  will  not  guarantee  the  discovery  of  fraud  or  illegal 
acts  or  contingent  liabilities  resulting  from  them.  Nor  does  the  subsequent  discovery  of  illegal  acts 
committed  during  the  audit  period  mean  that  the  auditors'  performance  was  inadequate,  provided  the 
audit  was  made  in  accordance  with  GAGAS. 
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CHAPTER  5 


REPORTING  STAND  ARDS  FOR  FIN  ANC1AI ,  AI IDITS 


INTRODI JCTION 

5.1  This  chapter  presents  reporting  standards  for  financial  audits,  which  include  audits  of 
finaneial  statements  and  other  work  governed  by  the  American  Institute  of  Certified  Public 
Accountants'  (AlCPA)  generally  aeeepted  auditing  standards  and  related  Statements  on  Auditing 
Standards  (SASs).  Generally  aeeepted  government  auditing  standards  (GAGAS)  incorporate  the 
AlCPA  field  work  and  reporting  standards  and  related  SASs  unless  the  Comptroller  General  of 
the  United  States  exeludes  them  by  formal  announcement.’  This  chapter  identifies  the  AlCPA 
generally  aeeepted  reporting  standards  and  prescribes  for  financial  audits  conducted  in 
aeeordanee  with  GAGAS  additional  reporting  standards  on 

a.  reporting  eomplianee  with  generally  accepted  government  auditing  standards  (see  paragraphs 
5.3  through  5.6), 

b.  reporting  on  compliance  with  laws  and  regulations  and  on  internal  control  over  financial 
reporting  (see  paragraphs  5.7  through  5.10), 

c.  reporting  deficiencies  in  internal  control  (see  paragraphs  5.1 1  through  5.15), 

d.  reporting  fraud,  illegal  acts,  and  other  noncompliance  (see  paragraphs  5.16  through  5.26), 

e.  reporting  views  of  responsible  officials  (see  paragraph  5.27  through  5.31), 


'To  date,  the  Comptroller  General  has  not  excluded  any  field  work  or  reporting  standards  or  statements  on  auditing 
standards. 
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f.  privileged  and  confidential  information  (see  paragraphs  5.32  through  5.34),  and 

g.  report  issuance  and  distribution.  (See  paragraphs  5.35  through  5.38). 

5.2  The  four  AlCPA  generally  accepted  standards  of  reporting  are  as  follows. 

a.  The  report  shall  state  whether  the  financial  statements  are  presented  in  accordance  with 
generally  accepted  accounting  principles. 

h.  The  report  shall  identify  those  circumstances  in  which  such  principles  have  not  been 
consistently  observed  in  the  current  period  in  relation  to  the  preceding  period. 

c.  Informative  disclosures  in  the  financial  statements  are  to  be  regarded  as  reasonably 
adequate  unless  otherwise  stated  in  the  report. 

d.  The  report  shall  either  contain  an  expression  of  opinion  regarding  the  Unancial 
statements,  taken  as  a  whole,  or  an  assertion  to  the  effect  that  an  opinion  cannot  be 
expressed.  When  an  overall  opinion  cannot  be  expressed,  the  reasons  therefor  should  be 
stated.  In  all  cases  where  an  auditor's  name  is  associated  with  Unancial  statements,  the 
report  should  contain  a  clear-cut  indication  of  the  character  of  the  auditor's  work,  if  any, 
and  the  degree  of  responsibility  the  auditor  is  taking. 


RF-PORTING  COMPI.IANCF  WITH  rTF.NF.RAfl.Y 
ACCFPTFn  rTOVFRNMFNT  AUniTING  STANDARDS 


5.3  An  additional  reporting  standard  for  financial  audits  conducted  in  accordance  with  GAGAS 
is: 
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Audit  reports  should  state  that  the  audit  was  made  in  accordance  with  generally  accepted 
government  auditing  standards. 

5.4  The  above  statement  refers  to  all  the  applicable  standards  that  the  auditors  should  have 
followed  during  their  audit.  The  statement  referencing  compliance  with  generally  accepted 
government  auditing  standards  should  be  qualified  in  situations  where  the  auditors  did  not  follow 
an  applicable  standard.  In  these  situations,  the  auditors  should  disclose  in  the  scope  section  of 
the  report  the  applicable  standard  that  was  not  followed,  the  reasons  therefore,  and  how  not 
following  the  standard  affected,  or  could  have  affected,  the  results  of  the  audit. 

5.5  When  the  report  on  the  financial  audit  is  submitted  to  comply  with  a  legal,  regulatory,  or 
contractual  requirement  for  a  GAGAS  audit,  it  should  specifically  cite  GAGAS.  The  report  on 
the  financial  audit  may  cite  AlCPA  standards  as  well  as  GAGAS. 

5.6  An  audited  entity  receiving  a  GAGAS  audit  report  may  also  need  a  financial  audit  report  for 
purposes  other  than  to  comply  with  requirements  calling  for  a  GAGAS  audit.  For  example,  the 
audited  entity  may  need  audited  financial  statements  to  issue  bonds  or  for  other  financing 
purposes.  When  a  GAGAS  audit  is  the  basis  for  an  auditor's  subsequent  report  under  the  AICPA 
standards,  it  would  be  advantageous  to  users  of  the  subsequent  report  for  the  auditor's  report  to 
include  the  information  on  compliance  with  laws  and  regulations  and  internal  control  that  is 
required  by  GAGAS  but  not  required  by  AICPA  standards.  To  reissue  essentially  the  same 
report  omitting  the  information  regarding  compliance  with  laws  and  regulations  and  internal 
control  is  not  in  the  public  interest. 
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RFFORTING  ON  COMP!  lANCF.  WITH  l.AWS  AND 
RFGl  R  ATIONS  AND  ON  INTFRNAF  CONTROF 
OVFR  FINANGIAFRFPORTING 


2 

5.7  An  additional  reporting  standard  for  financial  statement  audits  conducted  in  accordance 
with  GAGAS  is: 

When  providing  an  opinion  on  financial  statements,  auditors  should  include  in  their  report 
on  the  financial  statements  either  a  (1)  description  of  the  scope  of  the  auditors'  testing  of 
compliance  with  laws  and  regulations  and  internal  control  over  financial  reporting  and  the 
results  of  those  tests  or  an  opinion,  if  sufficient  work  was  performed;  or  (2)  reference  to  the 
separate  report(s)  containing  that  information.  In  presenting  the  results  of  those  tests, 
auditors  should  report  fraud,  illegal  acts,  other  material  noncompliance,  and  reportable 
conditions  in  internal  control  over  financial  reporting. 

5.8  Auditors  may  report  on  compliance  with  laws  and  regulations  and  internal  control  over 
financial  reporting  in  the  report  on  the  financial  statements  or  in  separate  report(s).  When 
auditors  report  on  compliance  and  internal  control  over  financial  reporting  as  part  of  the  report  on 
the  financial  statements,  auditors  should  include  an  introduction  summarizing  key  findings  in  the 
audit  of  the  financial  statements  and  the  related  compliance  and  internal  control  work.  Auditors 
should  not  issue  this  introduction  as  a  stand-alone  report. 

5.9  When  auditors  report  separately  (including  separate  reports  bound  in  the  same  document)  on 
compliance  with  laws  and  regulations  and  internal  control  over  financial  reporting,  the  report  on 
the  financial  statements  should  state  that  the  auditors  are  issuing  those  additional  reports.  The 
report  on  the  financial  statements  should  also  state  that  the  reports  on  compliance  with  laws  and 
regulations  and  internal  control  over  financial  reporting  are  an  integral  part  of  a  GAGAS  audit, 

2 

Although  the  following  standard  on  reporting  on  compliance  with  laws  and  regulations  and  on  internal  control  over 
financial  reporting  is  applicable  to  audits  of  financial  statements,  the  requirement  to  report  deficiencies  in  internal 
control  (see  paragraphs  5.11  through  5.15)  and  reporting  fraud,  illegal  acts,  and  other  noncompliance  (see 
paragraphs  5.16  through  5.26)  is  applicable  to  all  financial  audits. 


60 


GAO-02-340G  Government  Auditing  Standards  Exposure  Draft 


and,  in  considering  the  results  of  the  audit,  these  reports  should  be  read  along  with  the  auditors’ 
report  on  the  financial  statements. 

Scope  of  Compliance  and  Internal  Control  Work 

5.10  Auditors  should  report  the  scope  of  their  testing  of  compliance  with  laws  and  regulations 
and  of  internal  control  over  financial  reporting,  including  whether  or  not  the  tests  they  performed 
provided  sufficient  evidence  to  support  an  opinion  on  compliance  with  laws  and  regulations  or 
internal  control  over  financial  reporting  and  whether  the  auditors  are  providing  such  opinions. 


RF.PORTING  nF.FiriFNriF.S  IN 
INTFRNAFrONTROF 

5.11  The  additional  reporting  standard  for  financial  audits  conducted  in  accordance  with 
GAGAS  is: 


Auditors  should  report  significant  deficiencies  in  internal  control  considered  to  be 
reportable  conditions  as  defined  in  AICPA  standards. 


5.12 


The  following  are  examples  of  matters  that  may  be  reportable  conditions: 
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a.  absence  of  appropriate  segregation  of  duties  consistent  with  appropriate  control  objectives; 


b.  absence  of  appropriate  reviews  and  approvals  of  transactions,  accounting  entries,  or  systems 
output; 


^Auditors  should  follow  the  AICPA’ s  Statements  on  Standards  for  Attestation  Engagements  when  providing  opinions 
on  internal  control  over  compliance  with  laws  and  regulations  or  on  internal  control  over  financial  reporting.  See 
chapter  6  for  a  discussion  of  the  attestation  standards. 

AICPA  standards  define  reportable  conditions  as  significant  deficiencies  in  the  design  or  operation  of  internal 
control  which  could  adversely  affect  the  entity’s  ability  to  record,  process,  summarize,  and  report  financial  data 
consistent  with  the  assertions  of  management  in  the  financial  statements. 
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c.  inadequate  provisions  for  the  safeguarding  of  assets; 


d.  evidence  of  failure  to  safeguard  assets  from  loss,  damage,  or  misappropriation; 

e.  evidence  that  a  system  fails  to  provide  complete  and  accurate  output  consistent  with  the 
control  objectives  of  the  audited  entity  because  of  the  misapplication  of  control  activities; 

f.  evidence  of  intentional  override  of  internal  control  by  those  in  authority  to  the  detriment  of  the 
overall  objectives  of  the  system; 

g.  evidence  of  failure  to  perform  tasks  that  are  part  of  internal  control,  such  as  reconciliations  not 
prepared  or  not  timely  prepared; 

h.  absence  of  a  sufficient  level  of  control  consciousness  within  the  organization; 

i.  significant  deficiencies  in  the  design  or  operation  of  internal  control  that  could  result  in 
violations  of  laws  and  regulations  having  a  direct  and  material  effect  on  the  financial  statements; 
and 

j.  failure  to  follow  up  and  correct  previously  identified  deficiencies  in  internal  control. 

5.13  In  reporting  on  deficiencies  in  internal  control,  auditors  should  identify  those  that  are 
individually  or  in  the  aggregate  considered  to  be  material  weaknesses.^  Auditors  should  place 
their  findings  in  proper  perspective  by  providing  a  description  of  the  objectives,  scope,  and 
methodology  used  to  conduct  the  work.  To  give  the  reader  a  basis  forjudging  the  prevalence  and 


^The  AICPA  standards  define  a  material  weakness  as  a  reportable  condition  in  which  the  design  or  operation  of  one 
or  more  of  the  internal  control  components  does  not  reduce  to  a  relatively  low  level  the  risk  that  misstatements 
caused  by  error  or  fraud  in  amounts  that  would  be  material  in  relation  to  the  financial  statements  being  audited  may 
occur  and  not  be  detected  within  a  timely  period  by  employees  in  the  normal  course  of  performing  their  assigned 
functions. 
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consequences  of  these  findings,  the  instances  identified  should  be  related  to  the  population  or  the 
number  of  cases  examined  and  be  quantified  in  terms  of  dollar  value,  if  appropriate.  Auditors 
may  include  such  information  in  their  audit  report  or  may  prepare  a  separate  report.  If  auditors 
report  separately,  the  audit  report  should  contain  a  reference  to  the  separate  report  containing  this 
information*’  and  state  that  the  separate  report  is  an  integral  part  of  the  audit  and  should  be 
considered  in  assessing  the  results  of  the  audit. 

5.14  To  the  extent  possible,  auditors  should  present  findings  to  identify  the  elements  of  criteria, 
condition,  and  effect,  as  well  as  cause  when  problems  are  found.  In  addition,  auditors  should 
provide  recommendations  for  corrective  action  if  auditors  are  able  to  sufficiently  develop  the 
findings.  However,  the  elements  needed  for  a  finding  depend  entirely  on  the  scope  and 
objectives  of  the  financial  audit,  and,  as  a  result,  may  not  always  have  all  of  the  elements  fully 
developed.  At  a  minimum,  auditors  should  identify  the  condition,  criteria,  and  possible  effect  to 
provide  sufficient  information  to  federal,  state,  and  local  officials  to  assist  them  in  taking 
corrective  action. 

5.15  When  auditors  detect  deficiencies  in  internal  eontrol  that  are  not  reportable  conditions,  they 
should  communicate  those  defieiencies  to  officials  of  the  audited  entity,  preferably  in  writing.  If 
the  auditors  have  communicated  other  deficiencies  in  internal  control  in  a  management  letter  to 
officials  of  the  audited  entity,  auditors  should  refer  to  that  management  letter  when  they  report  on 
internal  control.  Auditors  should  include  in  their  audit  documentation  evidence  of  all 
communications  to  officials  of  the  audited  entity  about  deficiencies  in  internal  control. 


RFPORTING  FRAUn,  II.I.FGAI.  ACTS, 

AND  OTHFR  NONGOMPI  lANGF 

5.16  An  additional  reporting  standard  for  financial  audits  conducted  in  accordance  with  GAGAS 
is: 


^For  audits  of  financial  statements,  such  information  is  generally  included  in  the  reports  on  compliance  and  internal 
control  over  financial  reporting. 
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Auditors  should  report  fraud,  illegal  acts,  or  other  material  noncompliance.  In  some 
circumstances,  auditors  should  report  fraud  and  illegal  acts  directly  to  parties  external  to 
the  audited  entity. 

5.17  AlCPA  standards  and  GAGAS  require  auditors  to  address  the  effect  fraud  or  illegal  acts 
may  have  on  the  audit  report  and  to  determine  that  the  audit  committee  or  others  with  equivalent 
authority  and  responsibility  are  adequately  informed  about  the  fraud  or  illegal  acts.  The 
additional  GAGAS  standard  does  not  modify  these  responsibilities.  However,  AlCPA  standards 
do  not  require  that  this  communication  be  written,  nor  do  they  address  communication  regarding 
other  noncompliance  (violations  of  other  compliance  requirements  such  as  provisions  of 
contracts  or  grant  agreements). 

5.18  When  auditors  conclude,  on  the  basis  of  evidence  obtained,  that  fraud  or  an  illegal  act 
either  has  occurred  or  is  likely  to  have  occurred,^  they  should  report  the  relevant  information. 
Auditors  need  not  report  information  about  fraud  or  an  illegal  act  that  is  clearly  inconsequential. 
Thus,  auditors  should  include  in  their  report  the  same  information  about  fraud  and  illegal  acts 
that  they  have  informed  the  audit  committees  about  under  AlCPA  standards.  Auditors  should 
also  report  other  noncompliance  that  is  material  to  the  audit. 

5.19  In  reporting  material  fraud,  illegal  acts,  or  other  noncompliance,  the  auditors  should  place 
their  findings  in  proper  perspective  by  providing  a  description  of  the  objectives,  scope,  and 
methodology  used  to  conduct  the  work.  To  give  the  reader  a  basis  forjudging  the  prevalence  and 
consequences  of  these  findings,  the  instances  identified  should  be  related  to  the  population  or  the 
number  of  cases  examined  and  be  quantified  in  terms  of  dollar  value,  if  appropriate.  Auditors 
may  include  such  information  in  their  audit  report  or  may  prepare  a  separate  report.  If  auditors 
report  separately,  the  audit  report  should  contain  a  reference  to  the  separate  report  containing  this 


^Whether  a  particular  act  is,  in  fact,  illegal  may  have  to  await  final  determination  by  a  court  of  law  or  other 
adjudicative  body.  Thus,  when  auditors  disclose  matters  that  have  led  them  to  conclude  that  an  illegal  act  is  likely  to 
have  occurred,  they  should  not  imply  that  they  have  made  a  determination  of  illegality. 
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information  and  state  that  the  report  is  an  integral  part  of  the  audit  and  should  be  considered  in 
assessing  the  results  of  the  audit. 

5.20  To  the  extent  possible,  auditors  should  present  findings  to  identify  the  elements  of  criteria, 
condition,  and  effect,  as  well  as  cause  when  problems  are  found.  In  addition,  auditors  should 
provide  recommendations  for  corrective  action  if  auditors  are  able  to  sufficiently  develop  the 
findings.  However,  the  elements  needed  for  a  finding  depend  entirely  on  the  scope  and 
objectives  of  the  financial  audit,  and,  as  a  result,  may  not  always  have  all  of  the  elements  fully 
developed.  At  a  minimum,  auditors  should  identify  the  condition,  criteria,  and  possible  effect  to 
provide  sufficient  information  to  federal,  state,  and  local  officials  to  assist  them  in  taking 
corrective  action.  Auditors  should  also  obtain  the  views  of  responsible  officials  of  the  audited 
entity  regarding  the  findings  and  include  this  information  in  the  report  as  appropriate. 

5.21  When  auditors  detect  fraud,  illegal  acts,  or  other  noncompliance  that  do  not  meet  criteria 
for  reporting  in  paragraph  5.18,  they  should  eommunieate  those  findings  to  officials  of  the 
audited  entity,  preferably  in  writing.  If  auditors  have  eommunicated  those  findings  in  a 
management  letter  to  offieials  of  the  audited  entity,  auditors  should  refer  to  that  management 
letter  when  they  report  on  eomplianee.  Auditors  may  provide  less  extensive  disclosure  of  fraud 
and  illegal  acts  that  are  not  material  in  either  a  quantitative  or  qualitative  sense.  Auditors  should 
include  in  their  audit  documentation  evidence  of  all  eommunications  to  officials  of  the  audited 
entity  about  fraud,  illegal  acts,  and  other  noncompliance. 

Direct  Reporting  of  Fraud  and  Illegal  Acts 

5.22  GAGAS  require  auditors  to  report  fraud  or  illegal  acts  directly  to  parties  outside  the  audited 
entity  in  two  circumstances,  as  discussed  below.  These  requirements  are  in  addition  to  any  legal 

g 

For  audits  of  financial  statements,  sueh  information  is  generally  included  in  the  reports  on  compliance  with  laws  and 
regulations  and  internal  control  over  financial  reporting. 

*^Paragraphs  4.26  and  4.27  provide  guidance  on  factors  that  may  influence  auditors'  materiality  judgments  in  audits  of 
government  entities  or  entities  receiving  government  assistance.  AICPA  standards  provide  guidance  on  the 
interaction  of  quantitative  and  qualitative  considerations  in  materiality  judgments. 
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requirements  for  direct  reporting  of  fraud  or  illegal  acts.  Auditors  should  meet  these 
requirements  even  if  they  have  resigned  or  been  dismissed  from  the  audit. 

5.23  Officials  of  the  audited  entity  may  be  required  by  law  or  regulation  to  report  certain  fraud 
or  illegal  acts  to  specified  external  parties,  such  as  a  federal  inspector  general  or  a  state  attorney 
general.  If  auditors  have  communicated  such  fraud  or  illegal  acts  to  officials  of  the  audited  entity 
and  they  fail  to  report  them,  then  the  auditors  should  communicate  such  an  awareness  to  the 
governing  body  of  the  audited  entity.  If  the  officials  of  the  audited  entity  do  not  make  the 
required  report  as  soon  as  practicable  after  the  auditors'  communication  with  the  entity’s 
governing  body,  then  the  auditors  should  report  the  fraud  or  illegal  acts  directly  to  the  external 
party  specified  in  the  law  or  regulation. 

5.24  Management  of  the  audited  entity  is  responsible  for  taking  timely  and  appropriate  steps  to 
remedy  fraud  or  illegal  aets  that  auditors  report  to  it.  When  fraud  or  an  illegal  act  involves 
assistance  received  direetly  or  indireetly  from  a  government  agency,  auditors  may  have  a  duty  to 
report  direetly  if  management  fails  to  take  remedial  steps.  If  auditors  conclude  that  such  failure 
is  likely  to  eause  them  to  depart  from  the  standard  report  on  the  financial  statements  or  resign 
from  the  audit,  then  they  should  eommunieate  that  eonelusion  to  the  governing  body  of  the 
audited  entity.  Then,  if  offieials  of  the  audited  entity  do  not  report  the  fraud  or  illegal  act  as  soon 
as  practicable  to  the  entity  that  provided  the  government  assistance,  the  auditors  should  report  the 
fraud  or  illegal  act  directly  to  that  entity. 

5.25  In  both  of  these  situations,  auditors  should  obtain  sufficient,  competent,  and  relevant 
evidence,  such  as  confirmation  with  outside  parties,  to  corroborate  assertions  by  management 
that  it  has  reported  fraud  or  illegal  acts.  If  they  are  unable  to  do  so,  then  the  auditors  should 
report  the  fraud  or  illegal  acts  directly  as  discussed  above. 

5.26  Under  some  circumstances,  laws,  regulations,  or  policies  may  require  auditors  to  report 
promptly  indications  of  certain  types  of  fraud  or  illegal  acts  to  law  enforcement  or  investigatory 

'"internal  audit  organizations  do  not  have  a  duty  to  report  outside  that  entity  unless  required  by  law,  rule,  regulation, 
or  policy. 
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authorities.  When  auditors  conclude  that  this  type  of  fraud  or  illegal  act  either  has  occurred  or  is 
likely  to  have  occurred,  they  should  ask  those  authorities  and/or  legal  counsel  if  reporting  certain 
information  about  that  fraud  or  illegal  act  would  compromise  investigative  or  legal  proceedings. 
Auditors  should  limit  their  reporting  to  matters  that  would  not  compromise  those  proceedings, 
such  as  information  that  is  already  a  part  of  the  public  record. 


VIRWS  OF  RF.SPONSIRI  F.  OFFICIAI  S 

5.27  An  additional  reporting  standard  for  financial  audits  performed  in  accordance  with  GAGAS 
is: 

If  the  auditors’  report  discloses  significant  deficiencies,  auditors  should  report  the  views  of 
responsible  officials  concerning  the  findings,  conclusions,  and  recommendations,  as  well  as 
corrections  planned. 

5.28  One  of  the  most  effective  ways  to  ensure  that  a  report  is  fair,  complete,  and  objective  is  to 
obtain  advance  review  and  comments  by  responsible  officials  of  the  audited  entity  and  others,  as 
may  be  appropriate.  Including  the  views  of  responsible  officials  produces  a  report  that  shows  not 
only  what  was  found  and  what  the  auditors  think  about  it  but  also  what  the  responsible  persons 
think  about  it  and  what  they  plan  to  do  about  it. 

5.29  Auditors  should  normally  request  that  the  responsible  officials'  views  on  significant 
findings,  conclusions,  and  recommendations  be  submitted  in  writing.  Oral  comments  are 
acceptable  as  well,  and,  in  some  cases,  may  be  the  only  or  most  expeditious  way  to  obtain 
comments.  Cases  in  which  obtaining  oral  comments  can  be  effective  include  when  there  is  a 
time-critical  need  to  meet  a  user’s  needs;  the  auditor  has  worked  closely  with  the  responsible 
officials  throughout  the  conduct  of  the  work  and  the  parties  are  very  familiar  with  the  findings 
and  issues  addressed  in  the  draft  product;  or  the  auditor  does  not  expect  major  disagreements 
with  the  draft  report’s  findings,  conclusions,  and  recommendations,  or  perceive  any  major 
controversies  with  regard  to  the  issued  discussed  in  the  draft  report.  Auditors  should  prepare  a 
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summary  of  the  officials’  oral  comments  and  provide  a  copy  of  the  summary  to  management  of 
the  audited  entity  to  verify  that  the  comments  are  accurately  stated. 

5.30  Comments  should  be  fairly  and  objectively  evaluated  and  recognized,  as  appropriate,  in  the 
final  report.  Comments,  such  as  a  promise  or  plan  for  corrective  action,  should  be  noted  but 
should  not  be  accepted  as  justification  for  dropping  a  significant  finding  or  a  related 
recommendation. 

5.31  When  the  comments  oppose  the  report's  findings,  conclusions,  or  recommendations,  and 
are  not,  in  the  auditors'  opinion,  valid,  the  auditors  should  state  their  reasons  for  disagreeing  with 
the  comments.  The  auditors’  disagreement  should  be  stated  in  a  fair  and  objective  manner. 
Conversely,  the  auditors  should  modify  their  report  as  necessary  if  they  find  the  comments  valid. 
Auditors  may  wish  to  attach  the  comment  letter  to  the  audit  report  to  provide  the  reader  with  both 
points  of  view. 


PRIVII  F.CTF.n  AND  CONFinF.NTlAl ,  INFORM ATION 

5.32  An  additional  reporting  standard  for  financial  audits  conducted  in  accordance  with  GAGAS 
is: 

If  certain  pertinent  information  is  prohibited  from  general  disclosure,  the  audit  report 
should  state  the  nature  of  the  information  omitted  and  the  requirement  that  makes  the 
omission  necessary. 

5.33  Certain  information  may  be  prohibited  from  general  disclosure  by  federal,  state,  or  local 
laws  or  regulations.  Such  information  may  be  provided  on  a  need-to-know  basis  in  a  separate 
limited  official-use  report  which  is  restricted  to  only  persons  authorized  by  law  or  regulation  to 
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receive  it.  The  auditors  should,  when  appropriate,  consult  with  legal  counsel  regarding  any 
requirements  or  other  circumstances  that  may  necessitate  the  omission  of  certain  information. 

5.34  Additional  circumstances  associated  with  public  safety  and  security  concerns  could  also 
justify  the  exclusion  of  certain  information  in  the  report.  For  example,  information  related  to 
computer  security  for  a  particular  program  should  be  excluded  from  publicly  available  reports 
because  of  the  potential  damage  that  could  be  caused  by  the  misuse  of  this  information.  In  such 
circumstances,  auditors  may  issue  a  limited  official-use  report  containing  such  information  and 
distribute  the  report  only  to  those  parties  responsible  for  acting  on  the  auditors’ 
recommendations.  If  auditors  make  the  judgment  that  certain  additional  information  should  be 
excluded  from  a  publicly  available  report,  they  should  state  the  nature  of  the  information  omitted 
and  the  reasons  that  makes  the  omission  necessary. 


RF.PORT  ISSI  lANCF.  AND  HISTRIRI ITION 

5.35  An  additional  reporting  standard  for  financial  audits  conducted  in  accordance  with  GAGAS 
is: 

Auditors  should  submit  written  audit  reports  to  the  appropriate  officials  of  the  audited 
entity  and  to  the  appropriate  officials  of  the  organizations  requiring  or  arranging  for  the 
audits,  including  external  funding  organizations  such  as  legislative  bodies,  unless  legal 
restrictions  prevent  it.  Auditors  should  also  send  copies  of  the  reports  to  other  officials 
who  have  legal  oversight  authority  or  who  may  be  responsible  for  acting  on  audit  findings 
and  recommendations  and  to  others  authorized  to  receive  such  reports.  Unless  the  report 
is  restricted  by  law  or  regulation,  or  contains  privileged  and  confidential  information, 
auditors  should  ensure  that  copies  be  made  available  for  public  inspection. 
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5.36  Audit  reports  should  be  distributed  in  a  timely  manner  to  officials  interested  in  the  results.” 
Such  officials  include  those  designated  by  law  or  regulation  to  receive  such  reports,  those 
responsible  for  acting  on  the  findings  and  recommendations,  those  of  other  levels  of  government 
that  have  provided  assistance  to  the  audited  entity,  and  legislators.  However,  if  the  subject  of  the 
audit  involves  material  that  is  classified  for  security  purposes  or  not  releasable  to  particular 
parties  or  the  public  for  other  valid  reasons,  auditors  may  limit  the  report  distribution. 

5.37  When  public  accountants  are  engaged,  the  engaging  organization  should  ensure  that  the 
report  is  distributed  appropriately.  If  the  public  accountants  are  to  make  the  distribution,  the 
engagement  agreement  should  indicate  which  officials  or  organizations  should  receive  the  report. 

5.38  Internal  auditors  should  follow  their  entity's  own  arrangements  and  statutory  requirements 
for  distribution.  Usually,  they  report  to  their  entity's  top  managers,  who  are  responsible  for 
distribution  of  the  report.  Further  distribution  of  reports  outside  the  organization  should  be  made 
in  accordanee  with  applieable  laws,  rules,  regulations,  or  policy. 


"See  the  Single  Audit  Act  Amendments  of  1996  and  Office  of  Management  and  Budget  (OMB)  Circular  A-133  on 
single  audits  for  the  distribution  of  reports  on  single  audits  of  state  and  local  governmental  entities  and  nonprofit 
organizations  that  receive  federal  awards. 
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CHAPTER  6 


GENERAL.  FIELD  WORK,  AND  REPORTING 
STANDARDS  FOR  ATTESTATION  ENGAGEMENTS 


INTRODUCTION 


6.1  In  an  attestation  engagement,  auditors  issue  an  examination,  a  review,  or  an  agreed-upon 
proeedures  report  on  subjeet  matter,  or  on  an  assertion  about  the  subject  matter,  that  is  the 
responsibility  of  another  party.  Attestation  engagements  can  cover  a  broad  range  of  financial  or 
nonfmancial  objectives’  and  can  be  part  of  a  financial  statement  audit  or  other  engagement. 
Attestation  engagements  are  governed  by  the  standards  for  attestation  engagements  issued  by  the 
American  Institute  of  Certified  Public  Accountants  (AlCPA).  Generally  accepted  government 
auditing  standards  (GAGAS)  incorporate  for  attestation  engagements  the  AlCPA's  general 
standard  on  criteria,  its  field  work  standards,  and  its  reporting  standards,  as  well  as  the  AlCPA 
Statements  on  Standards  for  Attestation  Engagements  (SSAEs),  which  interpret  the  attestation 
standards,  unless  the  Comptroller  General  of  the  United  States  excludes  them  by  formal 
announcement.  This  chapter  identifies  the  AlCPA's  general  standard  on  criteria,  field  work 
standards,  and  reporting  standards  and  prescribes  additional  field  work  and  reporting  standards, 
as  well  as  guidance,  for  attestation  engagements  performed  in  accordance  with  GAGAS. 


'  See  chapter  2  for  examples  of  objectives  for  attestation  engagements. 

^  To  date,  the  Comptroller  General  has  not  excluded  any  field  work  standards,  reporting  standards,  or  statements  on 
standards  for  attestation  engagements. 

^  GAGAS  incorporate  only  one  of  the  AlCPA’s  general  standards  for  attestation  engagements.  In  addition  to  this 
general  standard,  auditors  should  follow  the  general  standards  for  work  performed  under  GAGAS,  as  discussed  in 
chapter  3. 
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AICPA  GENERAL  AND  FIELD  WORK  STANDARDS 


FOR  ATTESTATION  ENGAGEMENTS 

6.2  The  AlCPA's  general  standard  related  to  criteria  states  the  following. 

The  practitioner  [auditor]  shall  perform  an  engagement  only  if  he  or  she  has  reason  to 
believe  that  the  subject  matter  is  capable  of  evaluation  against  criteria  that  are  suitable  and 
available  to  users. 

6.3  The  two  AICPA  field  work  standards  for  attestation  engagements  are  as  follows. 

a.  The  work  shall  be  adequately  planned  and  assistants,  if  any,  shall  be  properly 
supervised. 

b.  Sufficient  evidence  shall  be  obtained  to  provide  a  reasonable  basis  for  the  conclusion 
that  is  expressed  in  the  report. 

ADDITIONAL  FIELD  WORK  STANDARDS 
FOR  ATTESTATION  ENGAGEMENTS 


6.4  GAGAS  require  additional  field  work  standards  for  attestation  engagements  in  the  following 
areas: 

a.  auditor  communication  (see  paragraphs  6.5  and  6.7), 

b.  considering  the  results  of  previous  audits  and  attestation  engagements  (see  paragraphs  6.8 
through  6.10), 

c.  audit  documentation  (see  paragraphs  6.1 1  through  6.17), 

d.  internal  control  (see  paragraphs  6.18  and  6.19),  and 
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e.  fraud,  illegal  acts,  and  other  noncompliance  (see  paragraphs  6.20  through  6.22). 

Auditor  Communication 


6.5  An  additional  field  work  standard  for  attestation  engagements  performed  in  accordance  with 
GAGAS  is: 

Auditors  should  communicate  information  to  officials  of  the  audited  entity  and  the 
individual  contracting  for  the  audit  services  regarding  the  nature  and  extent  of  planned 
testing  and  reporting  on  the  subject  matter  or  assertion. 

6.6  During  the  planning  stages  of  an  attestation  engagement,  auditors  should  communicate  to 
officials  of  the  audited  entity  and  to  individuals  requesting  or  contracting  for  the  services 
information  regarding  the  nature  and  extent  of  testing  and  reporting,  including  any  potential 
restriction  of  reports  associated  with  the  different  levels  of  assurance  services,  to  reduce  the  risk 
that  the  needs  or  expectations  of  the  parties  involved  may  be  misinterpreted.  For  example, 
attestation  standards  provide  for  the  following  three  levels  of  assurance. 

a.  Examination:  Auditors  perform  sufficient  testing  to  express  an  opinion  whether  the  subject 
matter  is  based  on  (or  in  conformity  with)  the  criteria  in  all  material  respects  or  the  assertion  is 
presented  (or  fairly  stated),  in  all  material  respects,  based  on  the  criteria. 

h.  Review:  Auditors  perform  sufficient  testing  to  express  a  conclusion  whether  any  information 
came  to  the  auditors'  attention  on  the  basis  of  the  work  perfonned  that  indicates  the  subject 
matter  is  not  based  on  (or  in  conformity  with)  the  criteria  or  the  assertion  is  not  presented  (or 
fairly  stated)  in  all  material  respects  based  on  the  criteria."^ 


As  stated  in  the  AICPA’s  statements  on  standards  for  attestation  engagements,  auditors  should  not  perform  review- 
level  work  for  reporting  on  internal  control  or  compliance  with  laws  and  regulations. 
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c.  Agreed-upon  procedures:  Auditors  perform  testing  to  issue  a  report  of  findings  based  on 
speeifie  proeedures  performed  on  subjeet  matter. 


6.7  Auditors  should  use  their  professional  judgment  to  determine  the  form  and  eontent  of  the 
eommunieation,  although  written  eommunieation  is  preferred.  Auditors  may  use  an  engagement 
letter,  if  appropriate,  to  eommunieate  the  information.  If  the  attestation  engagement  is  part  of  a 
larger  audit,  this  information  may  be  eommunieated  as  part  of  that  audit.  Whatever  the  form  of 
the  eommunieation,  auditors  should  inelude  audit  documentation  regarding  the  communication. 

Considering  the  Results  of  Previous  Audits 
and  Attestation  Engagements 

6.8  An  additional  field  work  standard  for  attestation  engagements  performed  in  accordance  with 
GAGAS  is: 

Auditors  should  consider  the  results  of  previous  audits  and  attestation  engagements  and 
follow  up  on  known  significant  findings  and  recommendations  that  directly  relate  to  the 
subject  matter  of  the  attestation  engagement  being  undertaken. 

6.9  Auditors  should  determine  whether  officials  of  the  audited  entity  have  taken  appropriate 
corrective  actions  on  known  reported  significant  findings  and  recommendations.^  In  addition  to 
following  up  on  significant  reported  findings  and  recommendations  from  previous  financial 
audits  or  attestation  engagements,  auditors  should  consider  significant  findings  identified  in 
performance  audits  and  other  studies  if  these  findings  relate  to  subject  matter  or  assertions  of  the 
attestation  engagement.  For  example,  an  audit  report  on  an  entity’s  computerized  information 
systems  may  contain  significant  findings  that  could  relate  to  the  attestation  engagement  if  the 
entity  uses  such  systems  to  process  information  about  the  subject  matter  or  contained  in  an 
assertion  about  the  subject  matter.  Following  up  on  known  significant  findings  and 


^  Significant  findings  and  recommendations  are  those  matters  that,  if  not  corrected,  could  affect  the  results  of  the 
auditors'  work  and  users'  conclusions  about  those  results. 
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recommendations  identified  in  previous  audits,  attestation  engagements,  or  studies  can  help 
auditors  evaluate  the  subject  matter  or  the  assertion  associated  with  the  attestation  engagement. 

6.10  Providing  continuing  attention  to  significant  findings  and  recommendations  is  important  to 
ensure  the  benefits  of  audit  work  are  realized.  Ultimately,  the  benefits  of  audit  work  occur  when 
audit  findings  are  resolved  through  meaningful  and  effective  corrective  action  in  response  to  the 
auditors’  findings  and  recommendations.  Officials  of  the  audited  organization  are  responsible 
for  resolving  audit  findings  and  recommendations  directed  to  them  and  for  having  a  process  to 
track  their  status.  If  officials  of  the  audited  organization  do  not  have  such  a  process,  auditors 
may  wish  to  establish  their  own  process. 

Audit  Documentation 


6.11  The  additional  field  work  standard  related  to  audit  documentation  for  attestation 
engagements  performed  in  aeeordanee  with  GAGAS  is: 

Audit  documentation  should  contain  sufficient  information  to  enable  an  experienced 
reviewer,  who  has  had  no  previous  connection  with  the  attestation  engagement,  to  ascertain 
from  the  audit  documentation  the  evidence  that  supports  the  auditors'  significant 
judgments  and  conclusions.  Audit  documentation  that  supports  significant  findings, 
conclusions,  and  recommendations  should  be  complete  before  auditors  issue  their  report. 

6.12  AlCPA  standards  and  GAGAS  require  that  auditors  should  prepare  and  maintain  audit 
documentation.  The  form  and  content  of  audit  documentation  should  be  designed  to  meet  the 
circumstances  of  the  particular  attestation  engagement.  The  infonnation  contained  in  audit 
documentation  constitutes  the  principal  record  of  the  work  that  the  auditors  have  performed  and 
the  conclusions  that  the  auditors  have  reached.  The  quantity,  type,  and  content  of  audit 
documentation  is  a  matter  of  the  auditors'  professional  judgment. 

6.13  GAGAS  extend  the  level  of  required  audit  documentation  to  be  sufficient  for  an 
experienced  reviewer  who  has  had  no  previous  connection  with  the  engagement  to  understand 
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the  evidence  that  supports  the  auditors'  significant  judgments  and  conclusions.  Further,  such 
documentation  must  be  complete  before  auditors  issue  their  report. 

6.14  Attestation  engagements  done  in  accordance  with  GAGAS  are  subject  to  review  by  other 
auditors  and  by  oversight  officials  more  frequently  than  audits  done  in  accordance  with  AlCPA 
standards.  Thus,  whereas  AlCPA  standards  cite  two  main  purposes  of  audit  documentation- 
providing  the  principal  support  for  the  audit  report  and  aiding  auditors  in  the  conduct  and 
supervision  of  the  audit— audit  documentation  serves  an  additional  purpose  in  attestation 
engagements  performed  in  accordance  with  GAGAS.  Audit  documentation  allows  for  the 
review  of  audit  quality  by  providing  the  reviewer  documentation,  either  in  written  or  electronic 
formats,  of  the  evidence  supporting  the  auditors'  significant  judgments  and  conclusions. 

6.15  Audit  organizations  should  establish  reasonable  policies  and  procedures  for  the  safe 
custody  and  retention  of  audit  documentation  for  a  time  sufficient  to  satisfy  legal  and 
administrative  requirements.  If  audit  documentation  is  only  retained  electronically,  the  audit 
organization  should  ensure  that  the  electronic  documentation  is  capable  of  being  accessed 
throughout  the  specified  retention  period  established  for  audit  documentation  and  is  safeguarded 
through  sound  computer  security. 

6.16  Audit  documentation  for  attestation  engagements  under  GAGAS  should  contain  the 
following. 

a.  The  objectives,  scope,  and  methodology,  including  any  sampling  criteria  used. 

b.  Documentation  of  the  auditor’s  determination  that  certain  additional  government  auditing 
standards  do  not  apply  or  that  an  applicable  standard  was  not  followed,  the  reasons  therefore,  and 
the  known  effect  that  not  following  the  standard  had,  or  could  have,  on  the  attestation 
engagement. 
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c.  Documentation  of  the  work  performed  to  support  significant  judgments  and  conclusions, 
including  descriptions  of  transactions  and  records  examined  that  would  enable  an  experienced 
reviewer  to  examine  the  same  transactions  and  records.^ 

d.  The  consideration  that  the  planned  procedures  are  designed  to  achieve  objectives  of  the 
attestation  engagement  when  evidential  matter  obtained  is  highly  dependent  on  computerized 
information  systems  and  is  material  to  the  objective  of  the  engagement,  and  the  auditors  are  not 
relying  on  the  effectiveness  of  internal  control  over  those  computerized  systems  that  produced 
the  information.  The  audit  documentation  should  specifically  address  (1)  the  rationale  for 
determining  the  nature,  timing,  and  extent  of  planned  audit  procedures;  (2)  the  kinds  and 
competence  of  available  evidential  matter  produced  outside  a  computerized  information  system; 
and  (3)  the  effect  on  the  attestation  engagement  report  if  evidential  matter  to  be  gathered  does 
not  afford  a  reasonable  basis  to  achieve  the  objectives  of  the  engagement. 

e.  Evidence  of  supervisory  reviews  of  the  work  performed. 

6.17  One  factor  underlying  GAGAS  audits  is  that  federal,  state,  and  local  governments  and  other 
organizations  cooperate  in  auditing  programs  of  common  interest  so  that  auditors  may  use  others' 
work  and  avoid  duplicate  audit  efforts.  In  addition,  attestation  engagements  performed  in 
accordance  with  GAGAS  are  subject  to  quality  control  and  assurance  reviews.  Auditors  should 
make  arrangements  to  make  audit  documentation  available,  upon  request,  in  a  timely  manner  to 
other  auditors  or  reviewers.  Contractual  arrangements  for  attestation  engagements  performed  in 
accordance  with  GAGAS  should  provide  for  full  and  timely  access  to  audit  documentation  to 
facilitate  reliance  by  other  auditors  on  the  auditors'  work,  as  well  as  reviews  of  audit  quality 
control  and  assurance. 


®  Auditors  may  meet  this  requirement  by  listing  voucher  numbers,  check  numbers,  or  other  means  of  identifying 
specific  documents  they  examined.  Auditors  are  not  required  to  include  copies  of  documents  they  examined  as  part 
of  the  audit  documentation,  nor  are  auditors  required  to  list  detailed  information  from  those  documents. 
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Internal  Control 


6.18  An  additional  field  work  standard  for  attestation  engagements  performed  in  accordance 
with  GAGAS  is: 

In  planning  examination-level  attestation  engagements,  auditors  should  obtain  a  sufficient 
understanding  of  internal  control  that  is  material  to  the  subject  matter  or  assertion  to  plan 
the  engagement  and  design  procedures  to  achieve  the  objectives  of  the  attestation 
engagement. 

-j 

6.19  In  planning  the  engagement,  auditors  should  obtain  an  understanding  of  internal  control  as 
it  relates  to  the  subject  matter  or  assertion  to  which  the  auditors  are  attesting.  The  subject  matter 
or  assertion  may  be  of  a  financial  or  nonfinancial  nature,  and  internal  control  relevant  to  the 
subject  matter  or  assertion  the  auditor  is  testing  may  relate  to 

a.  effectiveness  and  effieieney  of  operations,  ineluding  the  use  of  an  entity’s  resources; 

b.  reliability  of  fmaneial  reporting,  ineluding  reports  on  budget  execution  and  other  reports  for 
internal  and  external  use; 

c.  compliance  with  applicable  laws  and  regulations;  and 

d.  safeguarding  of  assets. 


’  Although  not  applicable  to  attestation  engagements,  the  AICPA  statements  on  auditing  standards  may  provide 
useful  guidance  related  to  internal  control  for  auditors  performing  attestation  engagements  in  accordance  with 
GAGAS.  In  addition,  auditors  performing  attestation  engagements  may  wish  to  refer  to  the  internal  eontrol 
guidance  published  by  the  Committee  of  Sponsoring  Organizations  of  the  Treadway  Commission  (COSO).  The 
Standards  for  Internal  Control  in  the  Federal  Goverw/neH/ (GAO/ AIMD-00-2 1.3.1,  November  1999),  which 
incorporates  the  relevant  guidance  developed  by  COSO,  provides  definitions  and  fiindamental  concepts  pertaining  to 
internal  control  at  the  federal  level  and  may  be  useful  to  auditors  at  any  level  of  government.  The  related  Internal 
Control  Management  and  Evaluation  Tool  (GAO-01-1008G,  August  2001),  based  on  the  federal  internal  control 
standards,  provides  a  systematic,  organized,  and  structured  approach  to  assessing  the  internal  control  structure. 
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Fraud.  Illegal  Acts,  and  Other  Noncompliance 


6.20  An  additional  field  work  standard  for  attestation  engagements  performed  in  accordance 
with  GAGAS  is: 

In  planning  examination-level  attestation  engagements,  auditors  should  design  the 
engagement  to  provide  reasonable  assurance  of  detecting  fraud,  illegal  acts,  or  other 
noncompliance  that  could  have  a  material  effect  on  the  subject  matter  or  assertion  of  the 
attestation  engagement. 

6.21  Auditors  should  exercise  professional  judgment  in  planning  the  engagement  by  obtaining 
an  understanding  of  the  possible  effects  of  fraud,  illegal  acts,  or  other  noncompliance  on  the 
subject  matter  or  assertion  of  the  attestation  engagement  and  by  identifying  and  assessing  any 

Q 

associated  risks  that  could  have  a  material  effect  on  the  attestation  engagement.  Auditors 
should  include  audit  documentation  on  their  assessment  of  risk,  and,  when  risk  factors  are 
identified  as  being  present,  the  documentation  should  include 

a.  those  risk  factors  identified,  and 

b.  the  auditors’  response  to  those  risk  factors,  individually  or  in  combination. 

6.22  In  addition,  if  during  the  performance  of  the  attestation  engagement,  risk  factors  or  other 
conditions  are  identified  that  cause  the  auditors  to  believe  that  an  additional  response  is  required, 
such  factors  or  other  conditions,  and  any  future  response  the  auditors  concluded  was  appropriate, 
should  be  documented. 


**  Although  not  applicable  to  attestation  engagements,  the  AICPA  statements  on  auditing  standards  may  provide 
useful  guidance  related  to  fraud  for  auditors  performing  attestation  engagements  in  accordance  with  GAGAS. 
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AICPA  REPORTING  STANDARDS 


FOR  ATTESTATION  ENGAGEMENTS 

6.23  The  AICPA  standards  for  attestation  engagements  provide  for  three  levels  of  reporting 
based  on  the  type  of  assurance  the  auditor  is  providing.  (See  paragraph  6.6.)  The  four  AICPA 
reporting  standards  for  attestation  engagements  are  as  follows. 

a.  The  report  shall  identify  the  subject  matter  or  the  assertion  being  reported  on  and  state 
the  character  of  the  engagement. 

b.  The  report  shall  state  the  practitioner’s  [auditors’]  conclusions  about  the  subject  matter 
or  the  assertion  in  relation  to  the  criteria  against  which  the  subject  matter  was  evaluated. 

c.  The  report  shall  state  all  of  the  practitioner’s  [auditors’]  signiUcant  reservations  about 
the  engagement,  the  subject  matter,  and,  if  applicable,  the  assertion  related  thereto. 

d.  The  report  shall  state  that  the  use  of  the  report  is  restricted  to  speciHed  parties  under  the 
following  circumstances:^  (1)  When  the  criteria  used  to  evaluate  the  subject  matter  are 
determined  by  the  practitioner  to  be  appropriate  only  for  a  limited  number  of  parties  who 
either  participated  in  their  establishment  or  can  be  presumed  to  have  an  adequate 
understanding  of  the  criteria.  (2)  When  the  criteria  used  to  evaluate  the  subject  matter  are 
available  only  to  specified  parties.  (3)  When  reporting  on  subject  matter  and  a  written 
assertion  has  not  been  provided  by  the  responsible  party.  (4)  When  the  report  is  on  an 
attest  engagement  to  apply  agreed-upon  procedures  to  the  subject  matter. 
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Auditors  should,  however,  follow  the  report  distribution  standard.  (See  paragraphs  6.39  through  6.43.) 
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ADDITIONAL  REPORTING  STANDARDS  FOR 
ATTESTATION  ENGAGEMENTS 

6.24  GAGAS  require  additional  reporting  standards  for  attestation  engagements  in  the  following 
areas: 

a.  reporting  compliance  with  generally  accepted  government  auditing  standards  (see  paragraphs 

6.25  through  6.27); 

b.  reporting  on  internal  control  and  on  fraud,  illegal  acts,  and  other  noncompliance  (see 
paragraphs  6.28  through  6.31); 

c.  views  of  responsible  officials  (see  paragraphs  6.32  through  6.36); 

d.  privileged  and  confidential  information  (see  paragraphs  6.37  and  6.38);  and 

e.  report  issuance  and  distribution  (see  paragraphs  6.39  through  6.43). 

Reporting  Compliance  With  Generally  Accepted 
Government  Auditing  Standards 

6.25  An  additional  reporting  standard  for  attestation  engagements  performed  in  accordance  with 
GAGAS  is: 

Reports  on  attestation  engagements  should  state  that  the  engagement  was  made  in 
accordance  with  generally  accepted  government  auditing  standards. 

6.26  The  above  statement  refers  to  all  the  applicable  standards  that  the  auditors  should  have 
followed  during  the  attestation  engagement.  The  statement  should  be  qualified  in  situations 
where  the  auditors  did  not  follow  an  applicable  standard.  In  these  situations,  the  auditors  should 
disclose  in  the  scope  section  of  the  report  the  applicable  standard  that  was  not  followed,  the 
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reasons  therefore,  and  how  not  following  the  standard  affected,  or  could  have  affected,  the 
results  of  the  attestation  engagement. 

6.27  When  the  report  on  the  attestation  engagement  is  submitted  to  comply  with  a  legal, 
regulatory,  or  contractual  requirement  for  a  GAGAS  audit,  it  should  specifically  cite  GAGAS. 
An  audited  entity  receiving  a  GAGAS  attestation  report  may  also  need  a  report  on  the  attestation 
engagement  for  purposes  other  than  to  comply  with  requirements  calling  for  a  GAGAS  audit. 
When  a  GAGAS  attestation  engagement  is  the  basis  for  an  auditor's  subsequent  report  under  the 
AlCPA  standards,  it  would  be  advantageous  to  users  of  the  subsequent  report  for  the  auditor's 
report  to  include  the  information  on  compliance  with  laws  and  regulations  and  internal  control 
that  is  required  by  GAGAS  but  not  required  by  AlCPA  standards.  To  reissue  essentially  the 
same  report  omitting  the  information  regarding  compliance  with  laws  and  regulations  and 
internal  control  is  not  in  the  public  interest. 

Reporting  on  Internal  Control  and  on  Fraud. 

Illegal  Acts,  and  Other  Noncompliance 

6.28  An  additional  reporting  standard  for  attestation  engagements  performed  in  accordance  with 
GAGAS  is: 

The  report  on  an  attestation  engagement  should  disclose  deficiencies  in  internal  control, 
including  internal  control  over  compliance  with  laws  and  regulations,  that  are  material  to 
the  subject  matter  or  assertion.  Fraud,  illegal  acts,  and  other  noncompliance  often  result 
from  the  lack,  or  circumvention,  of  internal  control.  Accordingly,  auditors  should  also 
disclose  in  the  report  on  the  attestation  engagement  instances  of  fraud,  illegal  acts,  or  other 
noncompliance  that  are  material  to  the  subject  matter  or  the  assertion. 

6.29  Auditors  should  place  their  findings  in  proper  perspective  by  providing  a  description  of  the 
objectives,  scope,  and  methodology  used  to  conduct  the  work.  To  give  the  reader  a  basis  for 
judging  the  prevalence  and  consequences  of  these  findings,  the  instances  identified  should  be 
related  to  the  population  or  the  number  of  cases  examined  and  be  quantified  in  terms  of  dollar 
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value,  if  appropriate.  Auditors  need  not  report  information  about  fraud  or  an  illegal  act  that  is 
clearly  inconsequential.  However,  these  matters  should  be  brought  to  the  attention  of 
management  of  the  audited  entity. 

6.30  To  the  extent  possible,  auditors  should  present  findings  to  identify  the  elements  of  criteria, 
condition,  and  effect,  as  well  as  cause  when  problems  are  found.  In  addition,  auditors  should 
provide  recommendations  for  corrective  action  if  auditors  are  able  to  sufficiently  develop  the 
findings.  However,  the  elements  needed  for  a  finding  depend  entirely  on  the  scope  and 
objectives  of  the  attestation  engagement,  and,  as  a  result,  may  not  always  have  all  of  the 
elements  fully  developed.  At  a  minimum,  auditors  should  identify  the  condition,  criteria,  and 
possible  effect  to  provide  sufficient  information  to  federal,  state,  and  local  officials  to  assist  them 
in  taking  corrective  action. 

6.31  When  auditors  detect  deficiencies  in  internal  control  that  are  not  material  to  the  subject 
matter  or  assertion  or  conclude,  on  the  basis  of  evidence  obtained,  that  fraud,  an  illegal  act,  or 
other  noncompliance  either  has  occurred  or  is  likely  to  have  occurred, they  should 
communicate  relevant  information  to  officials  of  the  audited  entity,  preferably  in  writing. 
Auditors  should  include  in  their  audit  documentation  evidence  of  all  communications  to  officials 
of  the  audited  entity  about  deficiencies  in  internal  control  or  indications  of  fraud,  illegal  acts,  or 
other  noncompliance. 

Views  of  Responsible  Officials 

6.32  An  additional  reporting  standard  for  attestation  engagements  performed  in  accordance  with 
GAGAS  is: 


Whether  a  particular  act  is,  in  fact,  illegal  may  have  to  await  final  determination  by  a  court  of  law.  Thus,  when 
auditors  disclose  matters  that  have  led  them  to  conclude  that  an  illegal  act  is  likely  to  have  occurred,  they  should  not 
imply  that  they  have  made  a  determination  of  illegality. 
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If  the  auditor’s  report  discloses  significant  deficiencies,  auditors  should  report  the  views  of 
responsible  officials  concerning  the  findings,  conclusions,  and  recommendations,  as  well  as 
corrections  planned. 

6.33  One  of  the  most  effective  ways  to  ensure  that  a  report  is  fair,  complete,  and  objective  is  to 
obtain  advance  review  and  comments  by  responsible  officials  of  the  audited  entity  and  others,  as 
may  be  appropriate.  Including  the  views  of  responsible  officials  produces  a  report  that  shows  not 
only  what  was  found  and  what  the  auditors  think  about  it  but  also  what  the  responsible  persons 
think  about  it  and  what  they  plan  to  do  about  it. 

6.34  Auditors  should  normally  request  that  the  responsible  officials'  views  on  significant 
findings,  conclusions,  and  recommendations  be  submitted  in  writing.  Oral  comments  are 
acceptable  as  well,  and,  in  some  cases,  may  be  the  only  or  most  expeditious  way  to  obtain 
comments.  Cases  in  which  obtaining  oral  comments  can  be  effective  include  when  there  is  a 
time-critical  need  to  meet  a  user’s  needs;  the  auditors  have  worked  closely  with  the  responsible 
officials  throughout  the  conduct  of  the  work  and  the  parties  are  very  familiar  with  the  findings 
and  issues  addressed  in  the  draft  product;  or  the  auditor  does  not  expect  major  disagreements 
with  the  draft  report’s  findings,  conclusions,  and  recommendations,  or  perceive  any  major 
controversies  with  regard  to  the  issues  discussed  in  the  draft  report.  Auditors  should  prepare  a 
summary  of  the  officials’  oral  comments  and  provide  a  copy  of  the  summary  to  management  of 
the  audited  entity  to  verify  that  the  comments  are  accurately  stated. 

6.35  Comments  should  be  fairly  and  objectively  evaluated  and  recognized,  as  appropriate,  in  the 
final  report.  Comments,  such  as  a  promise  or  plan  for  corrective  action,  should  be  noted  but 
should  not  be  accepted  as  justification  for  dropping  a  significant  finding  or  a  related 
recommendation. 

6.36  When  the  comments  oppose  the  report's  findings,  conclusions,  or  recommendations,  and 
are  not,  in  the  auditors'  opinion,  valid,  the  auditors  should  state  their  reasons  for  disagreeing  with 
the  comments.  The  auditors’  disagreement  should  be  stated  in  a  fair  and  objective  manner. 
Conversely,  the  auditors  should  modify  their  report  as  necessary  if  they  find  the  comments  valid. 
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Auditors  may  wish  to  attach  the  comment  letter  to  the  audit  report  to  provide  the  reader  with 
both  points  of  view. 

Privileged  and  Confidential  Information 

6.37  An  additional  reporting  standard  for  attestation  engagements  performed  in  accordance  with 
GAGAS  is: 

If  certain  pertinent  information  is  prohibited  from  general  disclosure,  the  report  on  the 
attestation  engagement  should  state  the  nature  of  the  information  omitted  and  the 
requirement  that  makes  the  omission  necessary. 

6.38  Certain  information  may  be  prohibited  from  general  disclosure  by  federal,  state,  or  local 
laws  or  regulations.  Such  information  may  be  provided  on  a  need-to-know  basis  only  to  persons 
authorized  by  law  or  regulation  to  receive  it.  Additional  circumstances  associated  with  public 
safety  and  security  concerns  could  also  justify  the  exclusion  of  certain  information  in  the  report. 
For  example,  information  related  to  computer  security  for  a  particular  program  should  be 
excluded  from  the  report  because  of  the  potential  damage  that  could  be  caused  by  the  misuse  of 
this  information.  In  such  circumstances,  auditors  may  issue  a  limited  official-use  report 
containing  such  information  and  distribute  the  report  only  to  those  parties  responsible  for  acting 
on  the  auditors’  recommendations. 

Report  Issuance  and  Distribution 

6.39  An  additional  reporting  standard  for  attestation  engagements  performed  in  accordance  with 
GAGAS  is: 

Auditors  should  submit  written  reports  on  the  attestation  engagement  to  the  appropriate 
officials  of  the  audited  entity  and  to  the  appropriate  officials  of  the  organizations  requiring 
or  arranging  for  the  engagement,  including  external  funding  organizations,  unless  legal 
restrictions  prevent  it.  Auditors  should  also  send  copies  of  the  reports  to  other  officials 
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who  have  legal  oversight  authority  or  who  may  he  responsible  for  acting  on  audit  findings 
and  recommendations  and  to  others  authorized  to  receive  such  reports.  Unless  the  report 
is  restricted  hy  law  or  regulation,  auditors  should  ensure  that  copies  he  made  available  for 
public  inspection. 

6.40  Reports  should  be  distributed  in  a  timely  manner  to  officials  interested  in  the  results.  Such 
officials  include  those  designated  by  law  or  regulation  to  receive  such  reports,  those  responsible 
for  acting  on  the  findings  and  recommendations  contained  in  the  report,  those  of  other  levels  of 
government  that  have  provided  assistance  to  the  audited  entity,  and  legislators. 

6.41  If  the  subject  of  the  attestation  engagement  involves  material  that  is  classified  for  security 
purposes  or  not  releasable  to  particular  parties  or  the  public  for  other  valid  reasons,  auditors  may 
limit  the  report  distribution.  Although  AlCPA  standards  require  that  a  report  on  an  engagement 
to  evaluate  an  assertion  that  has  been  prepared  on  agreed-upon  criteria  or  on  an  engagement  to 
apply  agreed-upon  proeedures  should  eontain  a  statement  limiting  its  use  to 

the  parties  who  have  agreed  upon  sueh  eriteria  or  proeedures,  such  a  statement  does  not  require 
that  the  report  distribution  be  limited. 

6.42  When  publie  aeeountants  are  engaged,  the  engaging  organization  should  ensure  that  the 
report  is  distributed  appropriately.  If  the  publie  aeeountants  are  to  make  the  distribution,  the 
engagement  agreement  should  indieate  whieh  offieials  or  organizations  should  receive  the  report 
and  other  steps  being  taken  to  ensure  the  availability  of  the  report  for  public  inspection. 

6.43  Internal  auditors  should  follow  their  entity's  own  arrangements  and  statutory  requirements 
for  distribution.  Usually,  they  report  to  their  entity's  top  manager,  who  is  responsible  for 
distribution  of  the  report.  Further  distribution  of  reports  outside  the  organization  should  be  made 
in  accordance  with  applieable  laws,  rules,  regulations,  or  policy. 


86 


GAO-02-340G  Government  Auditing  Standards  Exposure  Draft 


CHAPTER  7 


FIHT.n  WORK  STANDARnS  FOR  PF.RFORMANCF,  AUDITS 

INTRODI JCTION 

7.1  This  chapter  prescribes  field  work  standards  and  provides  guidance  to  auditors  conducting 
performance  audits  in  accordance  with  generally  accepted  government  auditing  standards 
(GAGAS).  The  field  work  standards  for  performance  audits  relate  to  planning  the  audit, 
supervising  staff,  obtaining  sufficient,  competent,  and  relevant  evidence,  and  preparing  audit 
documentation. 

PFANNING 

7.2  The  field  work  standard  related  to  planning  for  performance  audits  conducted  in  accordance 
with  GAGAS  is: 

Work  is  to  be  adequately  planned. 

7.3  In  planning  the  audit,  auditors  should  define  the  audit  objectives,  as  well  as  the  scope,  and 
methodology  to  achieve  those  objectives.  Audit  objectives,  scope,  and  methodologies  are  not 
determined  in  isolation.  Auditors  determine  these  three  elements  of  the  audit  plan  together,  as 
the  considerations  in  determining  each  often  overlap.  Planning  is  a  continuous  process 
throughout  the  audit.  Therefore,  auditors  should  consider  the  need  to  make  adjustments  to  the 
audit  objectives,  scope,  and  methodology  as  work  is  being  completed. 

7.4  The  objectives  are  what  the  audit  is  intended  to  accomplish.  They  identify  the  audit  subjects 
and  performance  aspects  to  be  included,  as  well  as  the  potential  finding  and  reporting  elements 
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that  the  auditors  expect  to  develop.’  Audit  objectives  can  be  thought  of  as  questions  about  the 

2 

program  that  auditors  seek  to  answer.  (See  chapter  2.) 

7.5  Scope  is  the  boundary  of  the  audit  and  should  be  directly  tied  to  the  audit  objectives.  For 
example,  the  scope  defines  parameters  of  the  audit  such  as  the  period  of  time  reviewed,  the 
availability  of  necessary  documentation  or  records,  and  the  number  of  locations  at  which  field 
work  will  be  conducted. 

7.6  The  methodology  comprises  the  work  involved  in  gathering  and  analyzing  data  to  achieve 
the  objectives.  Audit  procedures  are  the  specific  steps  and  tests  auditors  will  carry  out  to  address 
the  audit  objectives.  Auditors  should  design  the  methodology  to  provide  sufficient,  competent, 
and  relevant  evidence  to  achieve  the  objectives  of  the  audit.  Methodology  includes  both  the 
types  and  extent  of  audit  procedures  used  to  achieve  the  audit  objectives.  Auditors  may  use 
different  methodologies  drawn  from  a  wide  variety  of  disciplines. 

7.7  Planning  should  be  documented  and  should  include 

a.  considering  the  significance  of  various  programs  and  the  needs  of  potential  users  of  the  audit 
report  (see  paragraphs  7.8  and  7.9); 

b.  obtaining  an  understanding  of  the  program  to  be  audited  (see  paragraph  7. 10); 


'See  discussion  of  the  elements  of  a  finding  in  paragraphs  7.45  through  7.48. 

^This  chapter  uses  only  the  term  program;  however,  the  concepts  presented  also  apply  to  audits  of  organizations, 
activities,  and  services. 

^If  the  auditor  chooses  to  apply  or  use  standards  or  methodologies  developed  by  other  professional  organizations 
when  performing  work  under  GAGAS,  the  auditor  should  also  apply  the  standards  in  this  chapter  as  appropriate. 
Even  if  auditors  do  not  follow  sueh  other  standards  and  methodologies,  they  may  still  serve  as  a  useful  source  of 
guidance  to  auditors  in  planning  their  work  under  GAGAS.  However,  if  auditors  decide  to  perform  their  work  in 
accordance  with  the  standards  for  attestation  engagements  issued  by  the  AICPA,  auditors  should  apply  the  additional 
GAGAS  standards  for  attestation  engagements  contained  in  chapter  6. 
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c.  obtaining  an  understanding  of  internal  control  as  it  relates  to  the  specific  objectives  and  scope 
of  the  audit,  (see  paragraphs  7.11  through  7.16); 

d.  designing  the  audit  methodology  and  procedures  to  test  compliance  with  legal  and  regulatory 
requirements  of  the  program  to  be  audited  that  are  significant  to  the  specific  objectives  and  scope 
of  the  audit  (see  paragraphs  7.17  through  7.20); 

e.  identifying  the  criteria  needed  to  evaluate  matters  subject  to  audit  (see  paragraph  7.21); 

f.  considering  the  results  of  previous  audits  that  could  affect  the  current  audit  objectives  (see 
paragraphs  7.22  and  7.23); 

g.  identifying  potential  sources  of  data  that  could  be  used  as  audit  evidence  (see  paragraph  7.24); 

h.  considering  whether  the  work  of  other  auditors  and  experts  may  be  used  to  satisfy  some  of  the 
auditors'  objectives  (see  paragraphs  7.25  and  7.27); 

i.  providing  appropriate  and  sufficient  staff  and  other  resources  to  perform  the  audit  (see 
paragraph  7.28-7.31); 

j.  communicating  general  information  concerning  the  planning  and  conduct  of  the  audit  to 
management  officials  responsible  for  the  program  being  audited,  and  others  as  applicable  (see 
paragraphs  7.32  and  7.33);  and 

k.  documenting  planning  decisions  (see  paragraphs  7.34  through  7.36). 

Program  Significance 

7.8  The  significance  of  a  matter  is  its  relative  importance  to  the  audit  objectives  and  potential 
users  of  the  audit  report.  Auditors  should  consider  the  significance  of  a  program  or  program 
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component  and  the  potential  use  that  will  be  made  of  the  audit  results  or  report  as  they  plan  a 
performance  audit.  Indicators  of  significance  and/or  use  to  consider  include 

a.  visibility  and  sensitivity  of  the  program  under  audit, 

b.  newness  of  the  program  or  changes  in  its  conditions, 

c.  role  of  the  audit  in  providing  information  that  can  improve  public  accountability  and 
decisionmaking,  and 

d.  level  and  extent  of  review  or  other  forms  of  independent  oversight. 

7.9  One  group  of  users  of  the  auditors'  report  is  government  officials  who  may  have  authorized 
or  requested  the  audit.  Another  important  user  of  the  auditors'  report  is  the  entity  being  audited, 
which  is  responsible  for  acting  on  the  auditors'  recommendations.  Other  potential  users  of  the 
auditors'  report  include  government  legislators  or  officials  (other  than  those  who  may  have 
authorized  or  requested  the  audit),  the  media,  interest  groups,  and  individual  citizens.  In  addition 
to  an  interest  in  the  program,  potential  users  may  have  an  ability  to  influence  the  conduct  of  the 
program.  An  awareness  of  these  potential  users'  interests  and  influence  can  help  auditors 
understand  why  the  program  operates  the  way  it  does.  This  awareness  can  also  help  auditors 
judge  whether  possible  findings  could  be  significant  to  various  possible  users. 

I  Jnderstanding  the  Program 

7.10  Auditors  should  obtain  an  understanding  of  the  program  to  be  audited  to  help  assess,  among 
other  matters,  the  significance  of  possible  audit  objectives  and  the  feasibility  of  achieving  them. 
The  auditors'  understanding  may  come  from  knowledge  they  already  have  about  the  program  or 
knowledge  they  gain  from  inquiries  and  observations  they  make  in  planning  the  audit.  The 
extent  and  breadth  of  those  inquiries  and  observations  will  vary  among  audits  based  on  the  audit 
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objectives,  as  will  the  need  to  understand  individual  aspects  of  the  program,  such  as  the 
following. 

a.  haws  and  regulations:  Government  programs  usually  are  created  by  law  and  are  subject  to 
more  specific  laws  and  regulations  than  the  private  sector.  For  example,  laws  and  regulations 
usually  set  forth  what  is  to  be  done,  who  is  to  do  it,  the  purpose  to  be  achieved,  the  population  to 
be  served,  and  how  much  can  be  spent  on  what.  Thus,  understanding  the  laws  and  the  legislative 
history  establishing  a  program  can  be  essential  to  understanding  the  program  itself  Obtaining 
that  understanding  is  also  a  necessary  step  in  identifying  provisions  of  laws  and  regulations 
significant  to  audit  objectives. 

b.  Purpose  and  goals:  Purpose  is  the  result  or  effect  that  is  intended  or  desired  from  a  program’s 
operation.  Legislatures  usually  establish  the  program  purpose  when  they  provide  authority  for 
the  program.  Entity  officials  may  provide  more  detailed  guidance  on  program  purpose  to 
supplement  the  authorizing  legislation.  Entity  officials  are  sometimes  asked  to  set  goals  for 
program  performance  and  operations,  including  both  outcome  and  output  goals.  Auditors  may 
use  the  stated  program  purpose  and  goals  as  criteria  for  assessing  program  performance  or  may 
develop  additional  criteria  or  best  practices  to  compare  the  program  with. 

c.  Internal  control:  Internal  control,  often  referred  to  as  management  controls,  in  the  broadest 
sense  includes  the  plan  of  organization,  methods,  and  procedures  adopted  by  management  to 
meet  its  missions  goals  and  objectives.  Internal  control  includes  the  processes  for  planning, 
organizing,  directing,  and  controlling  program  operations.  It  includes  the  systems  for  measuring, 
reporting,  and  monitoring  program  performance.  Internal  control  also  serves  as  the  first  line  of 
defense  in  safeguarding  assets  and  preventing  and  detecting  errors  and  fraud.  Paragraphs  7.11 
through  7.16  contain  guidance  pertaining  to  internal  control. 

d.  Efforts:  Efforts  are  the  amount  of  resources  (in  terms  of  money,  material,  personnel,  and  so 
forth)  that  are  put  into  a  program.  These  resources  may  come  from  within  or  outside  the  entity 
operating  the  program.  Measures  of  efforts  can  have  a  number  of  dimensions,  such  as  cost. 
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timing,  and  quality.  Examples  of  measures  of  efforts  are  dollars,  employee-hours,  and  square 
feet  of  building  space. 

e.  Program  operations:  Program  operations  are  the  strategies,  processes,  and  activities 
management  uses  to  convert  efforts  into  outputs.  Program  operations  are  subject  to  internal 
control. 

f.  Outputs:  Outputs  represent  the  quantity  of  a  good  or  service  produced  by  a  program.  For 
example,  an  output  measure  for  a  job  training  program  could  be  the  number  of  persons 
completing  training,  and  an  output  measure  for  an  aviation  safety  inspection  program  could  be 
the  number  of  safety  inspections  completed. 

g.  Outcomes:  Outcomes  are  accomplishments  or  results  of  programs.  For  example,  an  outcome 
measure  for  a  job  training  program  could  be  the  percentage  of  trained  persons  obtaining  a  job  and 
still  in  the  work  place  after  a  specified  period  of  time.  Examples  of  outcome  measures  for  an 
aviation  safety  inspection  program  could  be  the  percentage  reduction  in  significant  safety 
problems  found  in  subsequent  inspections  and/or  the  percentage  of  significant  problems  deemed 
corrected  in  follow-up  inspections.  Such  outcome  measures  show  progress  in  achieving  the  stated 
program  purposes  of  helping  unemployable  citizens  get  and  keep  jobs  and  improving  the  safety 
of  aviation  operations.  Auditors  should  be  aware  that  outcomes  may  be  influenced  by  cultural, 
economic,  physical,  or  technological  factors  outside  the  program.  Auditors  may  use  approaches 
drawn  from  the  field  of  program  evaluation  to  try  to  isolate  the  effects  of  the  program  from  these 
other  influences. 

Internal  Control 

7.11  Auditors  should  obtain  an  understanding  of  the  internal  control  environment,  as  well  as 
specific  internal  controls,  that  are  significant  to  the  audit  objectives,  including  internal  control 
over  compliance  with  legal  and  regulatory  requirements,  and  consider  whether  the  internal 
controls  have  been  placed  in  operation.  Auditors  also  need  to  consider  whether  any  reliance  will 
be  placed  on  internal  controls  in  designing  audit  procedures.  If  so,  auditors  should  include 
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specific  tests  of  the  effectiveness  of  internal  control  and  consider  the  results  in  designing  audit 
procedures/  Management  is  responsible  for  establishing  effective  internal  control.  The  lack  of 
administrative  continuity  in  government  units  because  of  changes  in  elected  legislative  bodies 
and  in  administrative  organizations  increases  the  need  for  effective  internal  control. 

7.12  The  following  classification  of  internal  control  is  intended  to  help  auditors  better 
understand  internal  controls  and  determine  their  significance  to  the  audit  objectives. 

a.  Fffectiveness  and  efficiency  of  program  operations:  Controls  over  program  operations 
include  policies  and  procedures  that  management  has  implemented  to  reasonably  ensure  that  a 
program  meets  its  objectives  and  that  unintended  actions  do  not  result,  such  as  improper 
payments.  Understanding  these  controls  can  help  auditors  understand  the  program  operations 
that  convert  efforts  to  outputs  or  outcomes. 

b.  Validity  and  reliability  of  data:  Controls  over  the  validity  and  reliability  of  data  include 
policies  and  proeedures  that  management  has  implemented  to  reasonably  ensure  that  valid  and 
reliable  data  are  obtained,  maintained,  and  fairly  diselosed  in  reports.  These  controls  help  assure 
management  that  it  is  getting  valid  and  reliable  information  about  whether  programs  are 
operating  properly  on  an  ongoing  basis.  Understanding  these  controls  can  help  auditors  (1) 
assess  the  risk  that  the  data  gathered  by  the  entity  may  not  be  valid  or  reliable  and  (2)  design 
appropriate  tests  of  the  data. 

c.  Compliance  with  applicable  laws  and  regulations:  Controls  over  compliance  with  applicable 
laws  and  regulations  include  policies  and  procedures  that  management  has  implemented  to 
reasonably  ensure  that  program  implementation  is  consistent  with  laws  and  regulations. 

4 

Refer  to  internal  control  guidance  developed  for  the  private  sector,  Internal  Control  -  Integrated  Framework, 
published  by  the  Committee  of  Sponsoring  Organizations  of  the  Treadway  Commission  (COSO).  The  publication, 
Standards  for  Internal  Control  in  the  Federal  Gover«me«/ (GAO/ AIMD-00-2 1.3.1,  November  1999),  which 
incorporates  the  relevant  guidance  developed  by  COSO,  provides  definitions  and  fundamental  concepts  pertaining  to 
internal  control  at  the  federal  level  and  may  be  useful  to  other  auditors  at  any  level  of  government.  The  related 
Internal  Control  Management  and  Evaluation  Tool  (GAO-01-1008G,  August  2001),  based  on  the  federal  internal 
control  standards,  provides  a  systematic,  organized,  and  structured  approach  to  assessing  the  internal  control 
structure. 
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Understanding  the  controls  relevant  to  compliance  with  those  laws  and  regulations  that  the 
auditors  have  determined  are  significant  can  help  auditors  assess  the  risk  of  illegal  acts. 

7.13  A  subset  of  these  categories  of  internal  control  is  the  safeguarding  of  resources.  Controls 
over  the  safeguarding  of  resources  include  policies  and  procedures  that  management  has 
implemented  to  reasonably  prevent  or  promptly  detect  unauthorized  acquisition,  use,  or 
disposition  of  resources. 

7.14  Auditors  can  obtain  an  understanding  of  internal  control  through  inquiries,  observations, 
inspection  of  documents  and  records,  or  review  of  other  auditors'  reports.  The  procedures 
auditors  perform  to  obtain  an  understanding  of  internal  control  will  vary  among  audits.  One 
factor  influencing  the  extent  of  these  procedures  is  the  auditors'  knowledge  about  internal  control 
gained  in  prior  audits.  Also,  the  need  to  understand  internal  control  will  depend  on  the  particular 
aspects  of  the  program  the  auditors  consider  in  setting  objectives,  scope,  and  methodology.  The 
following  are  examples  of  how  the  auditors'  understanding  of  internal  control  can  influence  the 
audit  plan. 

a.  Audit  objectives:  Poorly  controlled  aspects  of  a  program  have  a  higher  risk  of  failure,  so  they 
may  be  more  significant  than  others  in  terms  of  where  auditors  would  want  to  focus  their  efforts. 

b.  Audit  scope:  Knowledge  of  the  internal  control  environment  and  the  status  of  controls  in  a 
certain  location  may  lead  auditors  to  target  their  efforts  there. 

c.  Audit  methodology:  Effective  controls  over  collecting,  summarizing,  and  reporting  data  may 
enable  auditors  to  limit  the  extent  of  their  direct  testing  of  data  validity  and  reliability.  In 
contrast,  evidence  suggesting  ineffective  controls  may  lead  auditors  to  perform  more  direct 
testing  of  the  data,  look  for  data  from  outside  the  entity,  or  develop  their  own  data. 
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7.15  When  internal  controls  are  significant  to  the  audit  objectives,  auditors  should  plan  to  obtain 
sufficient  evidence  to  support  their  judgments  about  those  controls.^  The  following  are  examples 
of  circumstances  where  internal  controls  can  be  significant  to  audit  objectives. 

a.  In  determining  the  cause  of  unsatisfactory  performance,  that  unsatisfactory  performance  could 
result  from  weaknesses  in  specific  internal  controls. 

b.  When  assessing  the  validity  and  reliability  of  performance  measures  developed  by  the  audited 
entity,  effective  internal  control  over  collecting,  summarizing,  and  reporting  data  will  help  ensure 
valid  and  reliable  performance  measures. 

7.16  Internal  auditing  is  an  important  part  of  internal  control.^  When  an  assessment  of  internal 
control  is  called  for,  the  work  of  the  internal  auditors  can  be  used  to  help  provide  reasonable 
assurance  that  internal  controls  are  functioning  properly  and  to  prevent  duplication  of  effort. 

Considering  l  egal,  Regulatory^  and 
Other  Compliance  Requirements 

7.17  When  laws,  regulations,  and  other  compliance  requirements  such  as  provisions  of  contracts 
or  grant  agreements  are  significant  to  the  audit  objectives,  auditors  should  design  the  audit  to 
provide  reasonable  assurance  about  compliance  with  them.  This  requires  determining  which 
laws,  regulations,  and  other  compliance  requirements  are  significant  to  the  audit  objectives  and 
assessing  the  risk  that  significant  noncompliance  could  occur.^  Based  on  that  risk  assessment, 
the  auditors  design  and  perform  procedures  to  provide  reasonable  assurance  of  detecting 

5 

The  Standards  for  Internal  Control  in  the  Federal  Government  (GAO/AIMD-00-2 1.3.1,  November  1 999)  is  one 
source  of  established  criteria  auditors  can  use  to  support  their  judgments  and  conclusions  about  internal  control. 

6 

Many  government  entities  have  these  activities  identified  by  other  names,  such  as  inspection,  appraisal, 
investigation,  organization  and  methods,  or  management  analysis.  These  activities  assist  management  by  reviewing 
selected  functions. 

7 

The  term  noncompliance  includes  not  only  illegal  acts  resulting  from  violations  of  laws  and  regulations,  but  also 
violations  of  provisions  of  contracts  or  grant  agreements. 
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significant  instances  of  noncompliance.  (See  paragraphs  7.59  through  7.63  for  a  discussion  of 
evidence  indicative  of  fraud,  illegal  acts,  or  other  noncompliance.) 

7.18  Auditors  may  find  it  necessary  to  work  with  legal  counsel  to  (1)  determine  those  laws  and 
regulations  that  are  significant  to  the  audit  objectives,  (2)  design  tests  of  compliance  with  laws 
and  regulations,  or  (3)  evaluate  the  results  of  those  tests.  Auditors  also  may  find  it  necessary  to 
rely  on  the  work  of  legal  counsel  when  audit  objectives  require  testing  compliance  with 
provisions  of  contracts  or  grant  agreements.  Depending  on  the  circumstances  of  the  audit, 
auditors  may  find  it  necessary  to  obtain  information  on  compliance  matters  from  others,  such  as 
investigative  staff,  other  audit  organizations  or  government  entities  that  provided  assistance  to 
the  audited  entity,  or  the  applicable  law  enforcement  authority. 

7.19  It  is  not  practical  to  set  precise  standards  for  determining  if  laws,  regulations,  or  other 
eomplianee  requirements  are  signifieant  to  audit  objeetives  beeause  government  programs  are 
subjeet  to  many  laws,  regulations,  and  other  eomplianee  requirements,  and  audit  objeetives  vary 
widely.  However,  auditors  may  find  the  following  approaeh  helpful  in  making  that 
determination. 

a.  Reduee  eaeh  audit  objeetive  to  questions  about  speeifie  aspects  of  the  program  being  audited 
(that  is,  purpose  and  goals,  internal  eontrol,  efforts,  program  operations,  outputs,  and  outcomes, 
as  diseussed  in  paragraph  7.10). 

b.  Identify  laws,  regulations,  and  other  eomplianee  requirements  that  directly  relate  to  specific 
aspects  of  the  program  ineluded  in  questions  that  refleet  the  audit  objectives. 

c.  Determine  if  violations  of  those  laws,  regulations,  or  other  compliance  requirements  could 
significantly  affect  the  auditors'  answers  to  the  questions  that  relate  to  the  audit  objectives.  If 
they  could,  then  those  laws,  regulations,  and  other  compliance  requirements  are  likely  to  be 
significant  to  the  audit  objectives. 

8 

Paragraphs  7.25  through  7.27  discuss  relying  on  the  work  of  others. 
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7.20  In  planning  tests  of  compliance  with  significant  laws,  regulations,  and  other  compliance 
requirements,  auditors  should  assess  the  risk  that  noncompliance  could  occur.  That  risk  may  be 
affected  by  such  factors  as  the  complexity  of  the  laws  and  regulations  or  their  newness.  The 
auditors'  assessment  of  risk  includes  consideration  of  whether  the  entity  has  controls  that  are 
effective  in  preventing  or  detecting  noncompliance.  Management  is  responsible  for  establishing 
effective  controls  to  ensure  compliance  with  laws  and  regulations,  as  well  as  other  compliance 
requirements  such  as  provisions  of  contracts  or  grant  agreements.  If  auditors  obtain  sufficient 
evidence  of  the  effectiveness  of  these  controls,  they  can  reduce  the  extent  of  their  tests  of 
compliance. 

Criteria 

7.21  Criteria  are  the  standards,  measures,  expectations  of  what  should  exist,  best  practices,  or 
benchmarks  against  which  performance  is  compared  or  evaluated.  Criteria,  one  of  the  elements 
of  a  finding,  provide  a  context  for  understanding  the  results  of  the  audit.  (See  paragraphs  7.45 
through  7.48  for  a  discussion  on  the  other  elements  of  a  finding.)  The  audit  plan,  where  possible, 
should  state  the  criteria  to  be  used.  In  selecting  criteria,  auditors  have  a  responsibility  to  use 
criteria  that  are  reasonable,  attainable,  and  relevant  to  the  objectives  of  the  performance  audit. 
The  following  are  some  examples  of  possible  criteria: 

a.  purpose  or  goals  prescribed  by  law  or  regulation  or  set  by  management, 

b.  policies  and  procedures  established  by  management  of  the  audited  entity, 

c.  technically  developed  standards  or  norms, 

d.  expert  opinions, 

e.  prior  years'  performance. 
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f.  performance  of  similar  entities. 


g.  performance  in  the  private  sector,  or 

h.  best  practices  of  leading  organizations. 

Considering  the  Results  of  Previous  Audits 

7.22  Auditors  should  consider  the  results  of  previous  audits  and  follow-up  on  known  significant 
findings  and  recommendations  that  directly  relate  to  the  audit  objectives  of  the  performance 
audit.  Auditors  should  also  be  alert  to  the  status  of  relevant  findings  and  recommendations 
identified  in  other  available  audits  and  studies  by  other  organizations  as  well.  For  example,  an 
audit  report  on  an  entity’s  computerized  information  systems  may  contain  significant  findings 
that  could  relate  to  the  audit  if  the  entity  uses  such  systems  to  process  its  accounting  or  other 
information  the  auditors  plan  on  using.  In  any  event,  auditors  need  to  make  judgments  about  the 
extent  of  follow-up  needed  and  the  appropriate  disclosure  of  uncorrected  significant  findings  and 
recommendations  from  prior  audits  that  affect  the  audit  objectives. 

7.23  Providing  continuing  attention  to  significant  findings  and  recommendations  is  important  to 
ensure  that  the  benefits  of  audit  work  are  realized.  Ultimately,  the  benefits  of  audit  work  occur 
when  audit  findings  are  resolved  through  meaningful  and  effective  corrective  action  taken  in 
response  to  the  auditors’  findings  and  recommendations.  Officials  of  the  audited  entity  are 
responsible  for  resolving  audit  findings  and  recommendations  directed  to  them  and  for  having  a 
process  to  track  their  status.  If  officials  of  the  audited  entity  do  not  have  such  a  process,  auditors 
may  wish  to  establish  their  own  process. 


9 

Significant  findings  and  recommendations  are  those  matters  that,  if  not  corrected,  could  affect  the  results  of  the 
auditors'  work  and  users'  conclusions  about  those  results. 
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Identifying  Sources  of  Audit  F.vidence 


7.24  In  identifying  potential  sources  of  data  that  could  be  used  as  audit  evidence,  auditors  should 
consider  the  validity  and  reliability  of  these  data,  ineluding  data  eolleeted  by  the  audited  entity, 
data  generated  by  the  auditors,  or  data  provided  by  third  parties,  as  well  as  the  sufficiency  and 
relevance  of  the  evidence.  (See  paragraphs  7.41  through  7.44  for  guidanee  eoneeming  evidence.) 

Considering  Work  of  Other  Auditors 

7.25  Auditors  should  determine  if  other  auditors  have  previously  done,  or  are  doing,  audits  of 
the  program  or  the  entity  that  operates  it.  Whether  other  auditors  have  done  performanee  audits, 
financial  audits,  or  attestation  engagements,  the  other  auditors  may  be  useful  sourees  of 
information  for  planning  and  performing  the  audit.  If  other  auditors  have  identified  areas  that 
warrant  further  study,  their  work  may  influenee  the  auditors'  seleetion  of  objeetives.  The 
availability  of  other  auditors'  work  may  also  influenee  the  seleetion  of  methodology,  as  the 
auditors  may  be  able  to  rely  on  that  work  to  limit  the  extent  of  their  own  testing. 

7.26  If  auditors  intend  to  rely  on  the  work  of  other  auditors,  they  should  perform  proeedures 
regarding  the  specific  work  to  be  relied  on  that  provide  a  suffieient  basis  for  that  reliance. 
Auditors  can  obtain  evidence  concerning  the  other  auditors'  qualifications'**  and  independence 
through  prior  experience,  inquiry,  and/or  review  of  the  other  auditors'  external  quality  control 
review  report.  Auditors  can  determine  the  sufficiency,  relevance,  and  competence  of  other 
auditors'  evidence  by  reviewing  their  report,  audit  program,  or  audit  documentation,  or  by 
performing  supplemental  tests  of  the  other  auditors’  work.  The  nature  and  extent  of  evidence 
needed  will  depend  on  the  significance  of  the  other  auditors'  work  and  on  the  extent  to  which  the 
auditors  will  rely  on  that  work. 


Auditors  from  another  country  engaged  to  conduct  audits  in  their  country  should  meet  the  professional 
qualifications  to  practice  under  that  country's  laws  and  regulations  or  other  acceptable  standards,  such  as  those  issued 
by  the  International  Organization  of  Supreme  Audit  Institutions.  Also  see  the  International  Federation  of 
Accountants'  International  Standards  on  Auditing. 
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7.27  Auditors  face  similar  considerations  when  using  the  work  of  nonauditors  (consultants, 
experts,  specialists,  and  so  forth).  In  addition,  auditors  should  obtain  an  understanding  of  the 
methods  and  significant  assumptions  used  by  the  nonauditors.  (See  paragraph  3.xx  for 
independence  considerations  when  relying  on  the  work  of  others.) 

Staff  and  Other  Resources 

7.28  Staff  planning  should  include,  among  other  things, 

a.  assigning  staff  with  the  appropriate  collective  knowledge,  skills,  and  experience  for  the  job, 

b.  assigning  an  adequate  number  of  staff  and  supervisors  to  the  audit, 

c.  providing  for  on-the-job  training  of  staff,  and 

d.  engaging  specialists  when  necessary. 

7.29  The  availability  of  staff  and  other  resources  and  the  need  for  specialized  skills  are  important 
considerations  in  establishing  the  objectives,  scope,  and  methodology.  For  example,  limitations 
on  travel  funds  may  preclude  auditors  from  visiting  certain  critical  locations,  or  lack  of  expertise 
in  a  particular  methodology  or  with  computerized  information  systems  may  preclude  auditors 
from  undertaking  certain  objectives.  Auditors  may  be  able  to  overcome  such  limitations  by  using 
staff  from  any  existing  local  field  offices  of  the  audit  entity  or  by  engaging  consultants  with  the 
necessary  expertise. 

7.30  If  the  use  of  a  specialist  is  planned,  auditors  should  have  sufficient  knowledge  to 

a.  articulate  the  objectives  required  of  the  specialist, 

b.  evaluate  whether  the  specified  procedures  will  meet  auditors’  objectives,  and 
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c.  evaluate  the  results  of  the  procedures  applied  as  they  relate  to  other  planned  audit  procedures. 


7.31  Auditors  without  sufficient  knowledge  to  perform  the  functions  listed  above  may  have  to 
engage  a  consultant  for  quality  control  purposes  for  the  areas  related  to  the  specialist’s  work. 

Communicating  With  Management  and  Others 

7.32  Auditors  should  communicate  information  about  the  specific  nature  of  the  audit,  as  well  as 
general  information  concerning  the  planning  and  conduct  of  the  performance  audit,  to  the  various 
parties  involved  in  the  audit  to  help  them  understand  the  objectives,  time  frames,  and  any  data 
needs.  Such  parties  may  include 

a.  the  head  of  the  audited  entity; 

b.  the  audit  committee  or,  in  the  absence  of  an  audit  committee,  the  board  of  directors  or  other 
equivalent  oversight  body; 

c.  the  individual  who  possesses  a  sufficient  level  of  authority  and  responsibility  for  the  program 
or  activity  being  audited;  and 

d.  the  individuals  contracting  for  or  requesting  audit  services,  such  as  contracting  officials  or 
legislative  members  or  staff,  if  applicable. 

7.33  Auditors  should  use  their  professional  judgment  to  determine  the  form,  content,  and 
frequency  of  the  communication,  although  written  communication  is  preferred,  and  should 
document  the  communication.  Auditors  may  use  an  engagement  letter,  if  appropriate,  to 
communicate  the  information. 
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nnciimenting  Planning  Decisions 


7.34  A  written  audit  plan  should  be  prepared  for  each  audit.  The  form  and  content  of  the  written 
audit  plan  will  vary  among  audits  but  should  include  an  audit  program  or  project  plan,  a 
memorandum,  or  other  appropriate  documentation  of  key  decisions  about  the  audit  objectives, 
scope,  and  methodology  and  of  the  auditors'  basis  for  those  decisions.  It  should  be  updated,  as 
necessary,  to  reflect  any  significant  changes  to  the  plan  made  during  the  audit. 

7.35  Documenting  the  audit  plan  is  an  opportunity  for  the  auditors  to  review  the  work  done  in 
planning  the  audit  to  determine  whether 

a.  the  proposed  audit  objectives  are  likely  to  result  in  a  useful  report, 

b.  the  proposed  audit  scope  and  methodology  are  adequate  to  satisfy  the  audit  objectives,  and 

c.  sufficient  staff  and  other  resourees  are  available  to  perform  the  audit  and  to  meet  expected 
time  frames  for  eompleting  the  work. 

7.36  Written  audit  plans  may  inelude  the  following. 

a.  Information  about  the  legal  authority  for  the  audited  program,  its  history  and  current 
objectives,  its  principal  locations,  and  other  background  that  can  help  auditors  understand  and 
carry  out  the  audit  plan. 

b.  Information  about  the  responsibilities  of  each  member  of  the  audit  team  (such  as  preparing 
audit  programs,  conducting  audit  work,  supervising  and  reviewing  audit  work,  drafting  reports, 
handling  comments  from  officials  of  the  audited  program,  and  processing  the  final  report),  which 
can  help  auditors  when  the  work  is  conducted  at  several  different  locations.  In  these  audits,  use 
of  comparable  audit  methods  and  procedures  can  help  make  the  data  obtained  from  participating 
locations  comparable. 


102 


GAO-02-340G  Government  Auditing  Standards  Exposure  Draft 


c.  Audit  programs  describing  procedures  to  accomplish  the  audit  objectives  and  providing  a 
systematic  basis  for  assigning  work  to  staff  and  for  summarizing  the  work  performed. 

d.  The  general  format  of  the  audit  report  and  the  types  of  information  to  be  included,  which  can 
help  auditors  focus  their  field  work  on  the  information  to  be  reported. 


SUPERVISION 

7.37  The  second  field  work  standard  for  performance  audits  is: 

Staff  are  to  be  properly  supervised. 

7.38  Supervision  involves  directing  the  efforts  of  staff  assigned  to  the  audit  to  ensure  that  the 
audit  objectives  are  accomplished.  Elements  of  supervision  include  providing  sufficient 
guidance  to  staff  members,  keeping  informed  of  significant  problems  encountered,  reviewing  the 
work  performed,  and  providing  effective  on-the-job  training. 

7.39  Supervisors  should  satisfy  themselves  that  staff  members  clearly  understand  what  work 
they  are  to  do,  why  the  work  is  to  be  conducted,  and  what  the  work  is  expected  to  accomplish. 
With  experienced  staff,  supervisors  may  outline  the  scope  of  the  work  and  leave  details  to  the 
staff.  With  a  less  experienced  staff,  supervisors  may  have  to  specify  audit  procedures  to  be 
performed  as  well  as  techniques  for  gathering  and  analyzing  data. 

7.40  The  nature  of  the  review  of  audit  work  may  vary  depending  on  the  significance  of  the  work 
or  the  experience  of  the  staff  For  example,  it  may  be  appropriate  to  have  experienced  staff 
review  much  of  the  work  of  other  staff  with  similar  experience. 
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7.41  The  third  field  work  standard  for  performance  audits  is: 

Sufficient,  competent,  and  relevant  evidence  is  to  be  obtained  to  afford  a  reasonable  basis 
for  tbe  auditors'  findings  and  conclusions. 

7.42  A  large  part  of  auditors’  work  on  an  audit  concerns  obtaining  and  evaluating  evidence  that 
ultimately  supports  their  judgments  and  conclusions  pertaining  to  the  audit  objectives.  In 
evaluating  evidence,  auditors  consider  whether  they  have  obtained  the  evidence  necessary  to 
achieve  specific  audit  objectives.  When  internal  control  or  compliance  requirements  are 
significant  to  the  audit  objectives,  auditors  should  also  collect  and  evaluate  evidence  relating  to 
controls  or  compliance. 

7.43  Evidence  may  be  categorized  as  physical,  documentary,  testimonial,  and  analytical. 

Physical  evidence  is  obtained  by  auditors'  direct  inspection  or  observation  of  people,  property,  or 
events.  Such  evidence  may  be  documented  in  memoranda,  photographs,  drawings,  charts,  maps, 
or  physical  samples.  Documentary  evidence  consists  of  created  information  such  as  letters, 
contracts,  accounting  records,  invoices,  and  management  information  on  performance. 
Testimonial  evidence  is  obtained  through  inquiries,  interviews,  or  questionnaires.  Analytical 
evidence  includes  computations,  comparisons,  separation  of  information  into  components,  and 
rational  arguments. 

7.44  The  guidance  in  the  following  paragraphs  is  intended  to  help  auditors  judge  the  quality  and 
quantity  of  evidence  needed  to  satisfy  audit  objectives.  Paragraphs  7.45  through  7.48  describe 
the  elements  of  an  audit  finding.  Paragraphs  7.49  through  7.58  provide  guidance  to  help  auditors 
determine  what  constitutes  sufficient,  competent,  and  relevant  evidence  to  support  their  findings 
and  conclusions. 
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Audit  Findings 


7.45  Audit  findings  often  have  been  regarded  as  containing  the  elements  of  criteria,  condition, 
and  effect,  plus  cause  when  problems  are  found.  However,  the  elements  needed  for  a  finding 
depend  entirely  on  the  objectives  of  the  audit.  Thus,  a  finding  or  set  of  findings  is  complete  to 
the  extent  that  the  audit  objectives  are  satisfied  and  the  report  clearly  relates  those  objectives  to 
the  finding's  elements.  Criteria  are  discussed  in  paragraph  7.21,  and  the  other  elements  of  a 
finding— condition,  effect,  and  cause— are  discussed  in  the  following  paragraphs. 

7.46  Condition:  Condition  is  a  situation  that  exists.  It  has  been  determined  and  documented 
during  the  audit. 

7.47  Fffect:  Effect  has  two  meanings,  which  depend  on  the  audit  objectives.  When  the  auditors' 
objectives  include  identifying  the  actual  or  potential  consequences  of  a  condition  that  varies 
(either  positively  or  negatively)  from  the  eriteria  identified  in  the  audit,  "effect"  is  a  measure  of 
those  consequenees.  Auditors  often  use  effeet  in  this  sense  to  demonstrate  the  need  for 
corrective  aetion  in  response  to  identified  problems.  When  the  auditors'  objectives  include 
estimating  the  extent  to  whieh  a  program  has  eaused  ehanges  in  physical,  social,  or  economic 
conditions,  "effect"  is  a  measure  of  the  impaet  aehieved  by  the  program.  Here,  effect  is  the 
extent  to  whieh  positive  or  negative  ehanges  in  actual  physical,  social,  or  economic  conditions 
can  be  identified  and  attributed  to  program  operations. 

7.48  Cause:  Like  effect,  cause  also  has  two  meanings,  which  depend  on  the  audit  objectives. 
When  the  auditors'  objectives  include  explaining  why  a  particular  type  of  positive  or  negative 
performance  identified  in  the  audit  occurred,  the  reasons  for  that  performance  are  referred  to  as 
"cause."  Identifying  the  cause  of  problems  can  assist  auditors  in  making  constructive 
recommendations  for  correction.  Because  problems  can  result  from  a  number  of  plausible 
factors  or  multiple  causes,  the  recommendation  can  be  more  persuasive  if  auditors  can  clearly 
demonstrate  and  explain  with  evidence  and  reasoning  the  link  between  the  problems  and  the 
factor  or  factors  they  identified  as  the  underlying  cause.  When  the  auditors'  objectives  include 
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estimating  the  program's  effect  on  changes  in  physical,  social,  or  economic  conditions,  they  seek 
evidence  of  the  extent  to  which  the  program  itself  is  the  "cause"  of  those  changes. 

Tests  of  Rvidence 

7.49  Evidence  should  be  sufficient,  competent,  and  relevant  to  support  a  sound  basis  for  audit 
findings,  conclusions,  and  recommendations. 

a.  Evidence  should  be  sufficient  to  support  the  auditors'  findings.  In  determining  the  sufficiency 
of  evidence,  auditors  should  ensure  that  enough  evidence  exists  to  persuade  a  knowledgeable 
person  of  the  validity  of  the  findings.  When  appropriate,  statistical  methods  may  be  used  to 
establish  sufficiency. 

b.  Evidence  is  competent  if  it  is  consistent  with  fact  (that  is,  evidence  is  competent  if  it  is  valid 
and  reliable).  In  assessing  the  eompetenee  of  evidenee,  auditors  should  consider  such  factors  as 
whether  the  evidenee  is  aeeurate,  authoritative,  timely,  and  authentic.  When  appropriate, 
auditors  may  use  statistieal  methods  to  derive  eompetent  evidence. 

c.  Evidenee  is  relevant  if  it  has  a  logieal,  sensible  relationship  to  the  issue  being  addressed. 

7.50  The  following  presumptions  are  useful  in  judging  the  competence  of  evidence.  However, 
these  presumptions  are  not  to  be  considered  sufficient  in  themselves  to  determine  competence. 
The  amount  and  kinds  of  evidenee  required  to  support  auditors’  conclusions  should  be  based  on 
auditors’  professional  judgment. 

a.  Evidence  obtained  when  internal  controls  are  effective  is  more  competent  than  evidence 
obtained  when  controls  are  weak  or  nonexistent.  Auditors  should  therefore  be  particularly 
careful  in  cases  where  controls  are  weak  or  nonexistent. 
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b.  Evidence  obtained  through  the  auditors'  direct  physical  examination,  observation, 
computation,  and  inspection  is  more  competent  than  evidence  obtained  indirectly. 

c.  Original  documents  provide  more  competent  evidence  than  do  copies. 

d.  Testimonial  evidence  obtained  under  conditions  where  persons  may  speak  freely  is  more 
competent  than  testimonial  evidence  obtained  under  compromising  conditions  (for  example, 
where  the  persons  may  be  intimidated). 

e.  Testimonial  evidence  obtained  from  an  individual  who  is  not  biased  or  has  complete 
knowledge  about  the  area  is  more  competent  than  testimonial  evidence  obtained  from  an 
individual  who  is  biased  or  has  only  partial  knowledge  about  the  area. 

f.  Evidence  obtained  from  a  credible  third  party  may  in  some  cases  be  more  competent  than  that 
secured  from  management  or  other  officials  of  the  audited  entity. 

7.51  Auditors  may  find  it  useful  to  obtain  written  representations  concerning  the  competence  of 
certain  evidence  from  officials  of  the  audited  entity.  Written  representations  ordinarily  confirm 
oral  representations  given  to  auditors,  indicate  and  document  the  continuing  appropriateness  of 
such  representations,  and  reduce  the  possibility  of  misunderstanding  concerning  the  matters  that 
are  the  subject  of  the  representations.  Written  representations  can  take  several  forms,  including 
having  entity  management  sign  summary  documents  prepared  by  the  auditors. 

7.52  The  auditors'  approach  to  determining  the  sufficiency,  competence,  and  relevance  of 
evidence  depends  on  the  source  of  the  information  that  constitutes  the  evidence.  Information 
sources  include  original  data  gathered  by  auditors  and  existing  data  gathered  by  either 
management  or  a  third  party.  Data  from  any  of  these  sources  may  be  obtained  from 
computer-based  systems. 
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7.53  Data  gathered  by  auditors:  Data  gathered  by  auditors  include  the  auditors'  own 
observations  and  measurements.  Among  the  methods  for  gathering  this  type  of  data  are 
questionnaires,  structured  interviews,  direct  observations,  and  computations.  The  design  of  these 
methods  and  the  skill  of  the  auditors  applying  them  are  the  keys  to  ensuring  that  these  data 
constitute  sufficient,  competent,  and  relevant  evidence.  When  these  methods  are  applied  to 
determine  cause,  auditors  are  concerned  with  eliminating  rival  explanations. 

7.54  Data  gathered  by  management:  Auditors  can  use  data  gathered  by  management  as  part  of 
their  evidence.  However,  auditors  should  determine  the  validity  and  reliability  of  these  data  that 
are  significant  to  the  audit  objectives  and  may  do  so  by  direct  tests  of  the  data.  Auditors  can 
reduce  the  direct  tests  of  the  data  if  they  test  the  effectiveness  of  the  entity's  internal  controls  over 
the  validity  and  reliability  of  the  data,  and  these  tests  support  the  conclusion  that  the  controls  are 
effective.  The  nature  and  extent  of  testing  of  the  data  will  depend  on  the  significance  of  the  data 
to  support  auditors'  findings. 

7.55  Data  gathered  hy  third  parties:  The  auditors'  evidence  may  also  include  data  gathered  by 
third  parties.  In  some  cases,  these  data  may  have  been  audited  by  others,  or  the  auditors  may  be 
able  to  audit  the  data  themselves.  In  other  cases,  however,  it  will  not  be  practical  to  obtain 
evidence  of  the  data's  validity  and  reliability.  How  the  use  of  unaudited  third-party  data  affects 
the  auditors'  report  depends  on  the  data's  significance  to  the  auditors'  findings.  For  example,  in 
some  circumstances,  auditors  may  use  unaudited  data  to  provide  background  information; 
however,  the  use  of  such  unaudited  data  would  generally  not  be  appropriate  to  support  audit 
findings  and  conclusions. 

7.56  Validity  and  reliability  of  data  from  computer-based  systems:  Auditors  should  obtain 
sufficient,  competent,  and  relevant  evidence  that  computer-processed  data  are  valid  and  reliable 
when  those  data  are  significant  to  the  auditors'  findings.  This  work  is  necessary  regardless  of 
whether  the  data  are  provided  to  auditors  or  auditors  independently  extract  them.”  Auditors 

11 

When  computer-processed  data  are  used  by  the  auditor,  or  included  in  the  report,  for  background  or  informational 
purposes  and  are  not  significant  to  the  auditors'  findings,  citing  the  source  of  the  data  and  stating  that  they  were  not 
verified  will  satisfy  the  reporting  standards  for  accuracy  and  completeness  set  forth  in  this  statement. 
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should  determine  if  other  auditors  have  worked  to  establish  the  validity  and  reliability  of  the  data 
or  the  effectiveness  of  the  controls  over  the  system  that  produced  the  data.  If  the  results  of  such 
work  is  current,  auditors  may  be  able  to  rely  on  that  work.  (See  paragraphs  7.25  through  7.27  for 
requirements  when  relying  on  the  work  of  others.)  Auditors  may  also  determine  the  validity  and 
reliability  of  computer-processed  data  by  direct  tests  of  the  data. 

7.57  Auditors  can  reduce  the  direct  tests  of  the  data  if  they  test  the  effectiveness  of  general  and 
application  controls  over  computer-processed  data,  and  these  tests  support  the  conclusion  that  the 
controls  are  effective.  If  auditors  determine  that  internal  controls  over  data  which  are 
significantly  dependent  upon  computerized  information  systems  are  not  effective  or  if  auditors  do 
not  plan  to  test  the  effectiveness  of  such  controls,  auditors  should  include  audit  documentation 
regarding  the  basis  for  that  conclusion  by  addressing  (1)  the  reasons  why  the  design  or  operation 
of  the  controls  is  ineffective,  or  (2)  the  reasons  why  it  is  inefficient  to  test  the  controls.  In  such 
circumstances,  auditors  should  also  include  audit  documentation  regarding  their  reasons  for 
concluding  that  the  planned  audit  procedures  are  effectively  designed  to  achieve  specific  audit 
objectives.  This  documentation  should  address 

a.  the  rationale  for  determining  the  types  and  extent  of  planned  audit  procedures; 

b.  the  kinds  and  competence  of  available  evidence  produced  outside  a  computerized  information 
system;  and 

c.  the  effect  on  the  audit  report  if  the  evidence  gathered  during  the  audit  does  not  allow  the 
auditors  to  achieve  audit  objectives. 

7.58  When  the  auditors'  tests  of  data  disclose  errors  in  the  data,  or  when  they  are  unable  to 
obtain  sufficient,  competent,  and  relevant  evidence  about  the  validity  and  reliability  of  the  data, 
they  may  find  it  necessary  to 
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a.  seek  evidence  from  other  sources. 


b.  redefine  the  audit's  objectives  to  eliminate  the  need  to  use  the  data,  or 

c.  use  the  data,  but  clearly  indicate  in  their  report  the  data's  limitations  and  refrain  from  making 
unwarranted  conclusions  or  recommendations. 

F-vidence  Indicative  of  Fraud,  Illegal  Acts, 

Or  Other  Noncompliance 

7.59  Auditors  should  be  alert  to  situations  or  transactions  that  could  be  indicative  of  fraud, 
illegal  acts  (violations  of  laws  and  regulations),  or  other  noncompliance  (violations  of  other 
compliance  requirements  such  as  provisions  of  contracts  or  grant  agreements).  When 
information  comes  to  the  auditors'  attention  (through  audit  procedures,  allegations  received 
through  fraud  hotlines,  or  other  means)  indicating  that  fraud,  illegal  acts,  or  other  noncompliance 
may  have  occurred,  auditors  should  consider  whether  the  possible  fraud,  illegal  acts,  or  other 
noncompliance  could  significantly  affect  the  audit  results.  If  they  could,  the  auditors  should 
extend  the  audit  steps  and  procedures,  as  necessary,  (1)  to  determine  if  fraud,  illegal  acts,  or  other 
noncompliance  are  likely  to  have  occurred  and  (2)  if  so,  to  determine  their  effect  on  the  audit 
results. 

7.60  Auditors'  training,  experience,  and  understanding  of  the  program  being  audited  may  provide 
a  basis  for  recognizing  that  some  acts  coming  to  their  attention  may  be  indicative  of  fraud,  illegal 
acts,  or  other  noncompliance.  Whether  an  act  is,  in  fact,  illegal  is  a  determination  to  be  made 
through  the  judicial  or  other  adjudicative  system  and  is  beyond  auditors'  professional  expertise 
and  responsibility.  However,  auditors  are  responsible  for  being  aware  of  vulnerabilities  to  fraud, 
illegal  acts,  or  other  noncompliance  associated  with  the  area  being  audited  in  order  to  be  able  to 
identify  indications  that  fraud,  illegal  acts,  or  other  noncompliance  may  have  occurred.  In  some 
circumstances,  conditions  such  as  the  following  might  indicate  a  heightened  risk  of  fraud,  illegal 
acts,  or  other  noncompliance: 


no 


GAO-02-340G  Government  Auditing  Standards  Exposure  Draft 


a.  weak  management  which  fails  to  enforce  existing  internal  control  or  to  provide  adequate 
oversight  over  the  control  process; 

b.  inadequate  separation  of  duties,  especially  those  that  relate  to  controlling  and  safeguarding 
resources; 

c.  transactions  that  are  out  of  the  ordinary  and  are  not  satisfactorily  explained,  such  as 
unexplained  adjustments  in  inventories  or  other  resources; 

d.  instances  when  employees  of  the  audited  entity  refuse  to  take  vacations  or  accept  promotions; 

e.  missing  or  altered  documents,  or  unexplained  delays  in  providing  information; 

f.  false  or  misleading  information;  or 

g.  history  of  impropriety,  sueh  as  past  audits  or  investigations  with  findings  of  questionable  or 
criminal  activity. 

7.61  Auditors  should  exercise  professional  judgment  in  pursuing  indications  of  possible  fraud, 
illegal  acts,  or  other  noncompliance  so  as  not  to  interfere  with  potential  investigations,  legal 
proceedings,  or  both.  Under  some  circumstances,  laws,  regulations,  or  policies  require  auditors 
to  report  indications  of  certain  types  of  illegal  acts  to  law  enforcement  or  investigatory  authorities 
before  extending  audit  steps  and  procedures.  Auditors  may  also  be  required  to  withdraw  from  or 
defer  further  work  on  the  audit  or  a  portion  of  the  audit  in  order  not  to  interfere  with  an 
investigation. 

7.62  An  audit  made  in  accordance  with  these  standards  provides  reasonable  assurance  of 
detecting  fraud,  illegal  acts,  or  other  noncompliance  that  could  significantly  affect  the  audit 
results;  it  does  not  guarantee  the  discovery  of  fraud,  illegal  acts,  or  other  noncompliance.  Nor 
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does  the  subsequent  discovery  of  such  acts  committed  during  the  audit  period  necessarily  mean 
that  the  auditors'  performance  was  inadequate,  provided  the  audit  was  made  in  accordance  with 
these  standards. 

7.63  Abuse  is  distinct  from  illegal  acts  and  other  noncompliance.  When  abuse  occurs,  no  law, 
regulation,  contract  provision,  or  grant  agreement  is  violated.  Rather,  the  conduct  of  a 
government  program  falls  far  short  of  societal  expectations  for  prudent  program  management. 
Auditors  should  be  alert  to  situations  or  transactions  that  could  be  indicative  of  abuse.  When 
information  comes  to  the  auditors'  attention  (through  audit  procedures,  allegations  received 
through  a  fraud  hotline,  or  other  means)  indicating  that  abuse  may  have  occurred,  auditors  should 
consider  whether  the  possible  abuse  could  significantly  affect  the  audit  results.  If  it  could,  the 
auditors  should  extend  the  audit  steps  and  procedures,  as  necessary,  (1)  to  determine  if  the  abuse 
occurred  and  (2)  if  so,  to  determine  its  effect  on  the  audit  results.  However,  because  the 
determination  of  abuse  is  so  subjective,  auditors  are  not  expected  to  provide  reasonable  assurance 
of  detecting  it. 


AUDIT  nOriJMRNTATION 

7.64  The  fourth  field  work  standard  for  performance  audits  is: 

Auditors  should  prepare  and  maintain  audit  documentation.  Audit  documentation  should 
contain  sufficient  information  to  enable  an  experienced  reviewer,  who  has  had  no  previous 
connection  with  the  audit,  to  ascertain  from  the  audit  documentation  the  evidence  that 
supports  the  auditors'  significant  judgments  and  conclusions.  Audit  documentation  that 
supports  significant  findings,  conclusions,  and  recommendations  should  he  complete  before 
auditors  issue  their  report. 

7.65  The  form  and  content  of  audit  documentation  should  be  designed  to  meet  the  circumstances 
of  the  particular  audit.  The  information  contained  in  audit  documentation  constitutes  the 
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principal  record  of  the  work  that  the  auditors  have  performed  and  the  conclusions  that  the 
auditors  have  reached.  The  quantity,  type,  and  content  of  audit  documentation  is  a  matter  of  the 
auditors'  professional  judgment. 

7.66  Audit  documentation  serves  three  main  purposes:  (1)  to  provide  the  principal  support  for 
the  auditors’  report,  (2)  to  aid  auditors  in  conducting  and  supervising  the  audit,  and  (3)  to  allow 
for  the  review  of  audit  quality.  This  third  purpose  is  important  because  audits  done  in 
accordance  with  GAGAS  often  are  subject  to  review  by  other  auditors  and  by  oversight  officials. 
Audit  documentation  allows  for  the  review  of  audit  quality  by  providing  the  reviewer 
documentation,  either  in  written  or  electronic  formats,  of  the  evidence  supporting  the  auditors' 
significant  judgments  and  conclusions. 

7.67  Audit  organizations  should  establish  reasonable  polieies  and  procedures  for  the  safe 
custody  and  retention  of  audit  doeumentation  for  a  time  sufficient  to  satisfy  legal  and 
administrative  requirements.  If  audit  doeumentation  is  only  retained  electronically,  the  audit 
organization  should  ensure  that  the  eleetronie  doeumentation  is  capable  of  being  accessed 
throughout  the  speeified  retention  period  established  for  audit  documentation  and  is  safeguarded 
through  sound  eomputer  seeurity. 

7.68  Audit  documentation  should  eontain 

a.  the  objectives,  scope,  and  methodology,  ineluding  sampling  and  other  selection  criteria  used; 

b.  documentation  of  the  auditors’  determination  that  eertain  standards  do  not  apply  or  that  an 
applicable  standard  was  not  followed,  the  reasons  therefore,  and  the  known  effect  that  not 
following  the  standard  had,  or  could  have,  on  the  audit; 
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c.  documentation  of  the  work  performed  to  support  significant  judgments  and  conclusions, 
including  descriptions  of  transactions  and  records  examined  that  would  enable  an  experienced 
reviewer  to  examine  the  same  transactions  and  records;  and 

d.  evidence  of  supervisory  review  of  the  work  performed. 

7.69  Underlying  GAGAS  audits  is  that  federal,  state,  and  local  governments  and  other 
organizations  cooperate  in  auditing  programs  of  common  interest  so  that  the  auditors  may  use 
others'  work  and  avoid  duplicate  audit  efforts.  In  addition,  audits  performed  in  accordance  with 
GAGAS  are  subject  to  quality  control  and  assurance  reviews.  Auditors  should  make 
arrangements  to  make  audit  documentation  available,  upon  request,  in  a  timely  manner  to  other 
auditors  or  reviewers.  Contractual  arrangements  for  GAGAS  audits  should  provide  for  full  and 
timely  access  to  audit  documentation  to  facilitate  reliance  by  other  auditors  on  the  auditors'  work, 
as  well  as  reviews  of  audit  quality  eontrol  and  assuranee. 


12 

The  nature  of  this  documentation  will  vary  with  the  nature  of  the  work  performed.  For  example,  when  this  work 
includes  examination  of  management’s  records,  the  audit  documentation  should  describe  those  records  so  that  an 
experienced  reviewer  would  be  able  to  examine  those  same  records.  Auditors  may  meet  this  requirement  by  listing  file 
numbers,  case  numbers,  or  other  means  of  identifying  specific  documents  they  examined.  They  are  not  required  to 
include  in  the  audit  documentation  copies  of  documents  they  examined,  nor  are  they  required  to  list  detailed  information 
from  those  documents. 
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CHAPTF.R  R 


RF-PORTING  STANnARDS  FOR  PERFORM ANCF,  AUDITS 


INTRODI JCTION 

8.1  This  chapter  prescribes  reporting  standards  and  provides  guidance  to  auditors  reporting  on 
performance  audits  in  accordance  with  generally  accepted  government  auditing  standards  (GAGAS). 
The  reporting  standards  for  performance  audits  relate  to  the  form  of  the  report,  the  report  contents, 
report  quality,  and  report  issuance  and  distribution. 


FORM 

8.2  The  first  reporting  standard  for  performance  audits  is: 

Auditors  should  prepare  audit  reports  communicating  the  results  of  each  audit. 

8.3  The  form  of  the  audit  report  should  be  appropriate  for  its  intended  use.  Auditors  should  use 
their  professional  judgment  including  consideration  of  users’  needs,  likely  demand,  and  distribution 
in  determining  the  form  of  the  audit  report.  In  addition  to  a  more  formal  presentation  of  audit 
results,  such  as  a  chapter  report  or  a  letter  report,  briefing  slides  may  be  considered  audit  reports. 
Audit  reports  also  may  be  presented  on  electronic  media  that  are  retrievable  by  report  users  and  the 
audit  organization,  such  as  video  or  compact  disk  formats.  However,  to  comply  with  these 
standards,  audit  reports,  regardless  of  form,  should  comply  with  all  applicable  reporting  standards. 
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8.4  This  standard  is  not  intended  to  limit  or  prevent  discussion  of  findings,  judgments,  conclusions, 
and  recommendations  with  persons  who  have  responsibilities  involving  the  area  being  audited.  On 
the  contrary,  such  discussions  are  encouraged. 

8.5  Audit  reports  (1)  communicate  the  results  of  audits  to  officials  at  various  levels  of  government, 
(2)  make  the  results  less  susceptible  to  misunderstanding,  (3)  make  the  results  available  for  public 
inspection,  and  (4)  facilitate  follow-up  to  determine  whether  appropriate  corrective  actions  have  been 
taken.  The  need  to  maintain  public  accountability  for  government  program  demands  that  audit 
reports  be  retrievable. 

8.6  When  an  audit  is  terminated  before  it  is  completed,  auditors  should  communicate  that  fact  to 
management  of  the  audited  entity,  the  entity  requesting  the  audit,  and  other  appropriate  officials, 
preferably  in  writing.  In  the  absence  of  an  audit  report,  auditors  should  also  write  a  memorandum  for 
the  record  that  summarizes  the  results  of  the  work  to  the  date  of  termination  and  explains  why  the 
audit  was  terminated. 


REPORT  rONTRNTS 

8.7  The  second  reporting  standard  for  performanee  audits  is: 

The  audit  report  should  include  the  objectives,  scope,  and  methodology;  the  audit  results, 
including  findings,  conclusions,  and  recommendations,  as  appropriate;  a  reference  to 
compliance  with  generally  accepted  government  auditing  standards;  the  views  of  responsible 
officials;  and,  if  applicable,  the  nature  of  any  privileged  and  confidential  information  omitted. 
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Objectives,  Scope,  and  Methodology 


8.8  Auditors  should  include  in  the  report  the  audit  objectives  and  the  seope  and  methodology  used 
for  aehieving  the  audit  objeetives.  This  information  is  needed  by  report  users  to  understand  the 
purpose  of  the  audit  and  the  nature  of  the  audit  work  performed,  to  provide  perspeetive  as  to  what  is 
reported,  and  to  understand  any  significant  limitations  in  audit  objectives,  seope,  or  methodology. 
Auditors  should  also  report  the  status  of  uncorrected  significant  findings  and  recommendations’  from 
prior  audits  that  affeet  the  objeetives  of  the  current  audit. 

Objectives 

8.9  Audit  objeetives  should  be  eommunicated  to  knowledgeable  users  by  reporting  the  questions 
that  were  to  be  answered  in  the  audit  in  a  clear,  specific,  and  neutral  manner  that  avoids  unstated 
assumptions.  In  reporting  the  audit  objectives,  auditors  should  explain  why  the  audit  organization 
undertook  the  assignment  and  state  what  the  report  is  to  aceomplish,  and  why  the  subjeet  matter  is 
important.  Artieulating  what  the  report  is  to  accomplish  normally  involves  identifying  the  audit 
subjeet  and  the  aspeet  of  performanee  examined.  The  reported  audit  objeetives  provide  more 
meaningful  information  to  report  users  if  they  are  measurable  and  feasible  and  avoid  being  presented 
in  a  broad  or  general  manner.  To  reduce  misunderstanding  in  cases  where  the  objeetives  are 
particularly  limited  and  broader  objectives  can  be  inferred,  it  may  be  necessary  to  state  objectives 
that  were  not  pursued. 

Scope  and  Methodology 

8.10  In  reporting  the  scope  of  the  audit,  auditors  should  deseribe  the  depth  and  coverage  of  work 
eondueted  to  aeeomplish  the  audit's  objectives.  Auditors  should,  as  applicable,  explain  the 
relationship  between  the  population  of  items  sampled  and  what  was  audited;  identify  organizations, 
geographie  loeations,  and  the  period  covered;  report  the  kinds  and  sourees  of  evidenee;  and  explain 

'significant  findings  and  recommendations  are  those  matters,  that  if  not  corrected,  could  affect  the  results  of  the  auditors’ 
work  and  users’  conclusions  about  those  results. 
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any  problems  with  the  evidence.  Auditors  should  also  report  significant  constraints  imposed  on  the 
audit  approach  by  data  limitations  or  scope  impairments. 

8.11  To  report  the  methodology  used,  auditors  should  clearly  explain  how  the  audit  objectives  were 
accomplished  including  the  evidence  gathering  and  analysis  techniques  used  in  sufficient  detail  to 
allow  knowledgeable  users  of  their  reports  to  understand  the  work.  This  explanation  should  identify 
any  significant  assumptions  made  in  conducting  the  audit;  describe  any  comparative  techniques 
applied;  describe  the  criteria  used;  and  when  sampling  significantly  supports  auditors'  findings, 
describe  the  sample  design  and  state  why  it  was  chosen,  including  whether  the  results  can  be 
projected  to  the  intended  population. 

8.12  Auditors  should  attempt  to  avoid  misunderstanding  by  the  report  user  concerning  the  work  that 
was  and  was  not  done  to  achieve  the  audit  objectives,  particularly  when  the  work  was  limited 
because  of  constraints  on  time  or  resources.  The  auditors’  report  should  clearly  describe  the  scope  of 
the  work  performed  and  any  limitations,  the  applicable  standards  that  were  not  followed,  and  the 
reasons  therefore,  and  how  not  following  the  applicable  standards  affected  or  could  affect  the  results 
of  the  work.  For  example,  if  the  auditors  are  unable  to  determine  the  reliability  of  information  from 
an  agency’s  database,  and  information  from  this  database  is  critical  to  the  audit  findings,  the  report 
should  clearly  state  the  limitations  associated  with  the  information  and  refrain  from  making 
unwarranted  conclusions  or  recommendations.  In  these  situations,  the  audit  report  should  also 
include  the  reasons  the  auditors  were  unable  to  perform  this  work  and  the  potential  impact  on  the 
findings  if  the  information  is  not  reliable. 

Audit  Results 

8.13  Auditors  should  report  significant  findings  by  providing  credible  and  convincing  evidence  that 
relates  to  the  audit  objectives.  An  audit  report  is  improved  when  it  provides  sufficient  contextual 
sophistication  to  reflect  an  understanding  of  the  issues  and  an  awareness  of  the  external  environment, 
including  sensitivity  to  relevant  trends.  The  report  should  provide  selective  background  information 
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to  provide  the  context  for  the  overall  message  and  to  help  the  reader  understand  the  significance  of 
the  issues  discussed.^  The  report  should  also  include  all  significant  instances  of  fraud,  illegal  acts,  or 
other  noncompliance  and  all  significant  instances  of  abuse  that  were  found  during  or  in  connection 
with  the  audit  and  any  significant  weaknesses  in  internal  control  found  during  the  audit,  and  where 
applicable,  auditors'  conclusions/ 

Findings 

8.14  Auditors  should  report  the  significant  findings  developed  in  response  to  each  audit  objective. 
These  findings  should  be  supported  by  sufficient,  competent,  and  relevant  evidence.  They  also 
should  be  presented  in  a  manner  to  promote  adequate  understanding  of  the  matters  reported  and  to 
provide  convincing  but  fair  presentations  in  proper  perspective. 

8.15  As  discussed  in  chapter  7,  findings  often  have  been  regarded  as  containing  the  elements  of 
criteria,  condition,  cause,  and  effect.  However,  the  elements  needed  for  a  finding  depend  on  the 
audit  objectives.  Thus,  a  finding  or  set  of  findings  is  complete  to  the  extent  that  the  audit  objectives 
are  satisfied  and  the  report  clearly  relates  those  objectives  to  the  elements  of  the  finding. 

8.16  Auditors  should  develop  the  elements  of  a  finding  in  the  audit  report,  as  appropriate  to  satisfy 
the  audit  objectives.  In  reporting  on  elements  of  findings,  auditors  may  find  it  useful  to  consider  the 
following  guidance  on  each  finding  element. 


^Appropriate  background  information  may  include  information  on  how  programs/operations  work,  the  significance  of 
programs/operations  (i.e.,  dollars,  impact,  purposes,  and  past  audit  work  if  relevant),  a  description  of  the  audited  entity’s 
responsibilities,  and  explanation  of  terms,  organizational  structure,  and  statutory  basis  for  the  program/operations. 

^Whether  a  particular  act  is,  in  fact,  illegal  may  have  to  await  final  determination  by  a  court  of  law.  Thus,  when  auditors 
disclose  matters  that  have  led  them  to  conclude  that  an  illegal  act  is  likely  to  have  occurred,  they  should  take  care  not  to 
imply  that  they  have  made  a  determination  of  illegality.  See  paragraph  8. 1 7  for  additional  reporting  considerations. 

4 

Significant  weaknesses  in  internal  controls  may  be  discussed  in  the  report  as  an  element  of  a  finding.  Many  times  these 
weaknesses  will  be  described  as  the  cause  of  the  finding  or  in  “a  process  finding”  will  be  the  condition  element. 
Paragraphs  7.46  through  7.49  describe  the  elements  of  a  finding. 
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a.  Criteria:  An  audit  report  is  improved  when  it  provides  information  so  that  the  report  user  will  be 
able  to  determine  what  is  the  required  or  desired  state  or  what  is  expected  from  the  program  or 
operation.  The  criteria  are  easier  to  understand  when  stated  fairly,  explicitly,  and  completely,  and  the 
source  of  the  criteria  are  identified  in  the  audit  report.^ 

b.  Condition:  The  audit  report  is  improved  when  it  provides  evidence  of  what  the  auditors  found 
regarding  the  actual  situation.  Reporting  the  scope  or  extent  of  the  condition  allows  the  report  user 
to  gain  an  accurate  perspective. 

c.  Cause:  The  audit  report  is  improved  when  it  provides  convincing  evidence  on  the  factor  or  factors 
responsible  for  the  difference  between  condition  and  criteria.  In  reporting  the  cause,  auditors  may 
consider  whether  the  evidence  provides  a  reasonable  and  persuasive  argument  for  why  the  stated 
cause  is  the  key  factor  or  factors  contributing  to  the  difference  as  opposed  to  other  possible  causes, 
such  as  poorly  designed  criteria  or  factors  uncontrollable  by  program  management.  The  auditors  also 
may  consider  whether  the  identified  cause  serves  as  a  basis  for  the  recommendations. 

d.  F.ffeet:  The  audit  report  is  improved  when  it  provides  a  clear,  logical  link  to  establish  the  impact 
of  the  difference  between  what  the  auditors  found  (condition)  and  what  should  be  (criteria).  Effect  is 
easier  to  understand  when  it  is  stated  clearly,  concisely,  and  in  concrete  terms.  The  significance  of 
the  reported  effect  can  be  demonstrated  through  credible  evidence. 

8.17  When  auditors  conclude,  based  on  evidence  obtained,  that  significant  fraud,  illegal  acts,  or 
other  noncompliance  either  has  occurred  or  is  likely  to  have  occurred,  they  should  include  in  their 
audit  report  the  relevant  information.  The  term  "noncompliance"  comprises  illegal  acts  (violations 
of  laws  and  regulations)  and  violations  of  provisions  of  contracts  or  grant  agreements.  When 
auditors  conclude  significant  abuse  has  or  is  likely  to  have  occurred,  they  should  also  include 

5 

Common  sources  for  criteria  are  laws,  regulations,  policy,  procedures,  best  or  standard  practice,  or  assertions.  The 
Standards  for  Internal  Control  in  the  Federal  Government  (GAO/AIMD-00-21 .3. 1,  November  1999)  and  Internal 
Control — Integrated  Framework,  published  by  the  Committee  of  Sponsoring  Organizations  of  the  Treadway  Commission 
(COSO  Report)  are  two  sources  of  established  criteria  auditors  can  use  to  support  their  judgments  and  conclusions  about 
internal  control. 
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relevant  information  in  the  report.  Abuse  occurs  when  the  conduct  of  a  government  organization, 
program,  activity,  or  function  falls  short  of  societal  expectations  for  prudent  behavior. 

8.18  In  reporting  significant  instances  of  noncompliance,  auditors  should  place  their  findings  in 
perspective.  To  give  the  report  user  a  basis  forjudging  the  prevalence  and  consequences  of 
noncompliance,  the  instances  of  noncompliance  should  be  related  to  the  population  or  the  number  of 
cases  examined  and  quantified  in  terms  of  dollar  value,  if  appropriate.  If  the  results  cannot  be 
projected,  the  conclusion  should  be  limited  to  the  items  tested. 

8.19  In  reporting  on  internal  control,  auditors  should  describe  the  scope  of  internal  control  testing, 
and  in  presenting  the  results  of  those  tests,  report  the  significant  weaknesses.^  Auditors  may  identify 
significant  weaknesses  in  internal  control  as  the  cause  of  deficient  performance.  In  reporting  this 
type  of  finding,  the  control  weakness  would  be  described  as  the  “cause.” 

8.20  When  auditors  detect  nonsignificant  instances  of  fraud,  illegal  acts,  or  other  noncompliance 
or  nonsignificant  instances  of  abuse  or  weaknesses  in  internal  control,  they  should  communicate 
them  to  the  officials  of  the  audited  program,  preferably  in  writing.  Auditors  should  include  in 
their  audit  documentation  all  communications  to  officials  of  the  audited  program  about  fraud, 
illegal  acts,  or  other  noncompliance  and  instances  of  abuse  or  internal  control  weaknesses.  If  the 
auditors  have  communicated  such  instances  of  fraud,  illegal  acts,  or  other  noncompliance,  abuse, 
and  internal  control  weaknesses  in  a  management  letter  to  top  management,  auditors  should  refer 
to  that  management  letter  in  the  audit  report. 


Significant  weaknesses  are  matters  coming  to  the  auditors’  attention  that  they  believe  should  be  reported  to  officials  of 
the  audited  program  because  they  could  adversely  affect  the  program  under  audit. 
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Direct  Reporting  of  Fraud  and  Illegal  Acts 


8.21  Auditors  are  responsible  for  reporting  certain  fraud  and  illegal  acts  directly  to  parties  outside 
the  audited  entity  in  certain  circumstances,  as  discussed  in  the  following  paragraphs.  Auditors 

”7 

should  fulfdl  these  responsibilities  even  if  they  have  resigned  or  been  dismissed  from  the  audit. 

8.22  Officials  of  the  audited  entity  may  be  required  by  law  or  regulation  to  report  certain  fraud  and 
illegal  acts  to  specified  external  parties  such  as  a  federal  inspector  general  or  a  state  attorney  general. 
If  auditors  have  communicated  such  fraud  and  illegal  acts  to  officials  of  the  audited  entity,  and  the 
latter  fail  to  report  them,  then  the  auditors  should  communicate  their  awareness  of  that  failure  to  the 
audited  entity’s  governing  body.  If  officials  of  the  audited  entity  do  not  make  the  required  report  as 
soon  as  practical  after  the  auditors'  communication  with  its  governing  body,  then  the  auditors  should 
report  the  fraud  and  illegal  acts  directly  to  the  external  party  specified  in  the  law  or  regulation. 

8.23  Auditors  should  obtain  sufficient,  competent,  and  relevant  evidence,  such  as  confirmation  with 
outside  parties,  to  corroborate  assertions  by  management  that  it  has  reported  fraud  or  illegal  acts.  If 
they  are  unable  to  do  so,  then  the  auditors  should  report  the  fraud  or  illegal  acts  directly  as  discussed 
above. 

8.24  Laws,  regulations,  or  other  authority  may  require  auditors  to  report  promptly  indications  of 
fraud  or  other  illegal  acts  to  law  enforcement  or  investigatory  authorities.  In  such  circumstances, 
when  auditors  conclude  that  fraud  or  another  illegal  act  either  has  or  is  likely  to  have  occurred,  they 
should  refer  it  to  law  enforcement  or  investigatory  authorities  and  ask  those  authorities  or  legal 
counsel  if  reporting  certain  information  about  the  potential  fraud  or  illegal  act  would  compromise 
investigative  or  legal  proceedings.  Auditors  should  limit  the  extent  of  their  reporting  to  matters  that 
would  not  compromise  those  proceedings,  such  as  information  that  is  already  a  part  of  the  public 
record. 


internal  audit  organizations  do  not  have  a  duty  to  report  outside  that  entity  unless  required  by  law,  rule,  regulation,  or 
policy. 
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Cnncliisions 


8.25  Auditors  should  report  conclusions  when  called  for  by  the  audit  objectives.  Conclusions  are 
logical  inferences  about  the  program  based  on  the  auditors'  findings  and  should  flow  from  the 
findings,  instead  of  representing  a  summary  of  them.  Conclusions  should  be  clearly  stated,  not 
implied.  The  strength  of  the  auditors'  conclusions  depends  on  the  persuasiveness  of  the  evidence 
supporting  the  findings  and  the  soundness  of  the  logic  used  to  formulate  the  conclusions. 
Conclusions  are  stronger  if  they  set  up  the  report’s  recommendations  and  convince  the 
knowledgeable  user  of  the  report  that  action  is  necessary. 

Recommendations 

8.26  If  warranted,  auditors  should  make  recommendations  for  actions  to  improve  programs  and 
operations  and  to  correet  problem  areas  identified  during  the  audit.  Auditors  should  make 
recommendations  when  the  potential  for  improvement  in  programs,  operations,  and  performance  is 
substantiated  by  the  reported  findings  and  conclusions.  Recommendations  should  logically  flow 
from  the  evidence  and  need  to  state  clearly  the  actions  to  be  taken.  Recommendations  to  effect 
compliance  with  laws  and  regulations  and  improve  internal  control  also  should  be  made  when 
significant  instances  of  fraud,  illegal  acts,  or  other  noncompliance  are  noted  or  significant  abuse  or 
weaknesses  in  controls  are  found. 

8.27  Constructive  recommendations  can  encourage  improvements  in  the  conduct  of  government 
programs  and  operations.  For  recommendations  to  be  most  constructive,  they  should  be  directed  at 
resolving  the  cause  of  identified  problems,  action  oriented  and  specific,  addressed  to  parties  that 
have  the  authority  to  act,  practical,  and,  to  the  extent  feasible,  cost  effective  and  measurable. 
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Statement  on  r,nmpliance  With 

Generally  Accepted  Government  Auditing  Standards 

8.28  Auditors  should  report  that  the  audit  was  made  in  accordance  with  generally  accepted 
government  auditing  standards.  The  statement  of  compliance  with  GAGAS  refers  to  all  the 
applicable  standards  that  the  auditors  should  have  followed  during  the  audit.  The  statement  should 
be  qualified  in  situations  in  which  the  auditors  did  not  follow  an  applicable  standard.  In  these 
situations,  auditors  should  report  in  the  scope  section  the  applicable  standard  that  was  not  followed, 
the  reasons  therefore,  and  how  not  following  the  standard  affected  the  results  of  the  audit. 

Views  of  Responsible  Officials 

8.29  Auditors  should  report  the  views  of  responsible  officials  of  the  audited  program  concerning 
auditors'  findings,  conclusions,  and  recommendations.  One  of  the  most  effective  ways  to  ensure  that 
a  report  is  fair,  complete,  and  objective  is  to  obtain  advance  review  and  comments  by  responsible 
officials  of  the  audited  entity  and  others,  as  may  be  appropriate.  Including  the  views  of  responsible 
officials  produces  a  report  that  shows  not  only  what  was  found,  and  what  the  auditors  think  about  it, 
but  also  what  the  officials  in  the  audited  entity  think  about  the  report  and  what  they  plan  to  do  about 
it. 

8.30  Auditors  should  normally  request  that  the  responsible  officials'  views  on  significant  findings, 
conclusions,  and  recommendations  be  submitted  in  writing.  Oral  comments  are  acceptable  as  well, 
and,  in  some  cases,  may  be  the  only  or  most  expeditious  way  to  obtain  comments.  Cases  in  which 
obtaining  oral  comments  can  be  effective  include  when  there  is  a  time-critical  need  to  meet  a  user’s 
needs;  the  auditor  has  worked  closely  with  the  responsible  officials  throughout  the  conduct  of  the 
work  and  the  parties  are  very  familiar  with  the  findings  and  issues  addressed  in  the  draft  product;  or 
the  auditor  does  not  expect  major  disagreements  with  the  draft  report’s  findings,  conclusions,  and 
recommendations,  or  perceive  any  major  controversies  with  regard  to  the  issues  discussed  in  the 
draft  report.  Auditors  should  prepare  a  summary  of  the  officials’  oral  comments  and  provide  a  copy 
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of  the  summary  to  management  of  the  audited  entity  to  verify  that  the  comments  are  accurately 
stated. 

8.31  Comments  should  be  fairly  and  objectively  evaluated  and  recognized,  as  appropriate,  in  the 
final  report.  Comments,  such  as  a  promise  or  plan  for  corrective  action,  should  be  noted  but  should 
not  be  accepted  as  justification  for  dropping  a  significant  finding  or  a  related  recommendation. 

8.32  When  the  audited  entity’s  comments  state  that  the  report's  findings,  conclusions,  or 
recommendations  are  inaccurate  or  misleading  and  those  comments  are  not,  in  the  auditors'  opinion, 
valid,  the  auditors  should  state  their  reasons  for  disagreeing  with  the  comments.  The  auditors’ 
disagreement  should  be  stated  in  a  fair  and  objective  manner.  Conversely,  the  auditors  should 
modify  their  report  as  necessary  if  they  find  the  comments  valid.  Auditors  may  wish  to  attach  the 
comment  letter  to  the  audit  report  to  provide  the  reader  with  both  points  of  view. 

Privileged  and  Confidential  Infoimation 

8.33  If  certain  information  is  prohibited  from  general  disclosure,  auditors  should  report  the  nature  of 
the  information  omitted  and  the  requirement  that  makes  the  omission  necessary.  Certain  information 
may  be  prohibited  from  general  disclosure  by  federal,  state,  or  local  laws  or  regulations.  In  such 
circumstances,  auditors  may  issue  a  separate  limited  official  use  report  containing  such  information 
and  distribute  the  report  only  to  persons  authorized  by  law  or  regulation  to  receive  it.  Auditors 
should,  when  appropriate,  consult  with  legal  counsel  regarding  any  requirements  or  other 
circumstances  that  may  necessitate  the  omission  of  certain  information.  If  auditors  make  the 
judgment  that  certain  pertinent  information  should  be  excluded  from  a  publicly  available  report,  they 
should  state  the  nature  of  the  information  omitted  and  the  reasons  that  make  the  omission  necessary. 

8.34  Additional  circumstances  associated  with  public  safety  and  security  concerns  could  also  justify 
the  exclusion  of  certain  information  in  the  report.  For  example,  detailed  information  related  to 
computer  security  for  a  particular  program  may  be  excluded  from  publicly  available  reports  because 
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of  the  potential  damage  that  could  be  caused  by  the  misuse  of  this  information.  In  such 
circumstances,  auditors  may  issue  a  limited  official  use  report  containing  such  information  and 
distribute  the  report  only  to  those  parties  responsible  for  acting  on  the  auditors’  recommendations.  If 
auditors  make  the  judgment  that  certain  additional  information  should  be  excluded  from  a  publicly 
available  report,  they  should  state  the  nature  of  the  information  omitted  and  the  reasons  that  makes 
the  omission  necessary. 

8.35  Auditors  are  expected  to  act  with  integrity  in  judging  whether  any  information  should  be 
excluded  from  publicly  available  reports.  These  judgments  need  to  be  made  in  a  consistent  manner 
with  consideration  of  the  broader  public  interest  in  the  program  or  activity  under  review.  Auditors 
need  to  weigh  the  need  to  reveal  all  significant  facts  known  to  them  which,  if  not  revealed,  could 
either  distort  the  results  or  conceal  improper  or  unlawful  practice  against  any  requirements  or  other 
circumstances  that  may  necessitate  the  omission  of  certain  information. 


RF.PORTOnAllTY 

8.36  The  third  reporting  standard  for  performance  audits  is: 

The  reports  should  he  timely,  fact-hased,  accurate,  objective,  convincing,  clear,  and  as  concise 
as  the  subject  permits. 

Timely 

8.37  To  be  of  maximum  use,  the  audit  report  needs  to  provide  relevant  information  in  time  to 
respond  to  management,  legislative  officials,  and  other  users’  legitimate  needs.  Likewise,  the 
information  provided  in  the  report  needs  to  be  current.  Therefore,  auditors  should  plan  for  the 
appropriate  issuance  of  the  report  and  conduct  the  audit  with  these  goals  in  mind. 
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8.38  During  the  audit,  the  auditors  should  consider  interim  reporting  of  significant  matters  to 
appropriate  entity  officials.  Such  communication,  which  may  be  oral  or  written,  is  not  a  substitute 
for  a  final  report,  but  it  does  alert  officials  to  matters  needing  immediate  attention  and  permits  them 
to  correct  them  before  the  final  report  is  completed. 

Fact-Rased 

8.39  Being  fact-based  requires  that  the  report  contains  all  evidence  needed  to  satisfy  the  audit 
objectives  and  promotes  an  adequate  and  correct  understanding  of  the  matters  reported.  It  also 
means  the  report  states  information  and  findings  completely,  including  all  necessary  facts  and 
explanations.  Giving  report  users  an  adequate  and  correct  understanding  means  providing 
perspective  on  the  extent  and  significance  of  reported  findings,  such  as  the  frequency  of  occurrence 
relative  to  the  number  of  cases  or  transactions  tested,  and  the  relationship  of  the  findings  to  the 
entity's  operations. 

8.40  In  most  cases,  a  single  example  of  a  deficiency  is  not  sufficient  to  support  a  broad  conclusion 
or  a  related  recommendation.  All  that  it  supports  is  that  a  deviation,  an  error,  or  a  weakness  existed. 
Sufficient  detailed  supporting  data  should  be  included  to  make  convincing  presentations. 

Accurate 

8.41  Accuracy  requires  that  the  evidence  presented  be  true  and  that  findings  be  correctly  portrayed. 
The  need  for  accuracy  is  based  on  the  need  to  assure  report  users  that  what  is  reported  is  credible  and 
reliable.  One  inaccuracy  in  a  report  can  cast  doubt  on  the  validity  of  an  entire  report  and  can  divert 
attention  from  the  substance  of  the  report.  Also,  use  of  inaccurate  evidence  can  damage  the 
credibility  of  the  issuing  audit  organization  and  reduce  the  effectiveness  of  its  reports. 

8.42  The  report  should  include  only  information,  findings,  and  conclusions  that  are  supported  by 
competent  and  relevant  evidence  in  the  audit  documentation.  If  data  are  significant  to  the  audit 
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findings  and  conclusions,  but  are  not  audited,  the  auditors  should  clearly  indicate  in  their  report  the 
data's  limitations  and  not  make  unwarranted  conclusions  or  recommendations  based  on  those  data. 

8.43  Reported  evidence  should  demonstrate  the  correctness  and  reasonableness  of  the  matters 
reported.  Correct  portrayal  means  describing  accurately  the  audit  scope  and  methodology,  and 
presenting  findings  and  conclusions  in  a  manner  consistent  with  the  scope  of  audit  work.  The  report 
should  not  have  errors  in  logic  and  reasoning.  One  way  to  help  ensure  accuracy  in  the  report  is  to 
use  a  quality  control  process  such  as  referencing.  Referencing  is  a  process  in  which  statements  of 
facts,  figures,  and  dates  are  traced  back  to  the  supporting  working  papers  by  an  experienced  auditor 
who  is  independent  of  the  audit.  This  process  is  designed  to  ensure  that  sufficient  credible  evidence 
is  present  to  support  the  report’s  conclusions  and  recommendations. 

Objective 

8.44  Objectivity  requires  that  the  presentation  of  the  entire  report  be  balanced  in  content  and  tone. 

A  report's  credibility  is  significantly  enhanced  when  it  presents  evidence  in  an  unbiased  manner  so 
that  report  users  can  be  persuaded  by  the  facts.  The  report  should  be  fair  and  not  misleading,  and 
should  place  the  audit  results  in  perspective.  This  means  presenting  the  audit  results  impartially  and 
fairly.  In  describing  shortcomings  in  performance,  auditors  should  put  findings  in  context.  For 
example,  the  audited  entity  may  have  faced  unusual  difficulties  or  circumstances. 

8.45  The  tone  of  reports  should  encourage  decision  makers  to  act  on  the  auditors'  findings  and 
recommendations.  This  tone  should  be  balanced  by  requiring  reports  to  present  sound  and  logical 
evidence  to  support  conclusions,  while  refraining  from  using  adjectives  or  adverbs  that  characterize 
evidence  in  a  way  that  implies  criticism  or  conclusion  by  innuendo. 

8.46  The  report  should  also  recognize  the  positive  aspects  of  the  program  reviewed  if  applicable  to 
the  audit  objectives.  Inclusion  of  positive  program  aspects  may  lead  to  improved  performance  by 
other  government  organizations  that  read  the  report. 
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Convincing 


8.47  Being  convincing  requires  that  the  audit  results  be  responsive  to  the  audit  objectives,  the 
findings  be  presented  persuasively,  and  the  conclusions  and  recommendations  follow  logically  from 
the  facts  presented.  The  information  presented  should  be  sufficient  to  convince  the  report  users  to 
recognize  the  validity  of  the  findings,  the  reasonableness  of  the  conclusions,  and  the  benefit  of 
implementing  the  recommendations.  Reports  designed  in  this  way  can  help  focus  the  attention  of 
responsible  officials  on  the  matters  that  warrant  attention  and  can  help  stimulate  correction. 

Clear 

8.48  Clarity  requires  that  the  report  be  easy  to  read  and  understand.  Reports  should  be  prepared  in 
language  as  clear  and  simple  as  the  subjeet  permits.  Use  of  straightforward,  nontechnical  language  is 
essential  to  simplieity  of  presentation.  Whenever  teehnieal  terms,  abbreviations,  and  acronyms  are 
used,  they  should  be  elearly  defined. 

8.49  Auditors  may  eonsider  using  a  summary  within  the  report  to  capture  the  report  user’s  attention 
and  highlight  the  overall  message.  If  a  summary  is  used,  it  generally  should  focus  on  the  specific 
answers  to  the  questions  in  the  audit  objectives,  summarize  the  audit’s  most  significant  findings  and 
the  report’s  principal  conclusions,  and  prepare  users  to  anticipate  the  major  recommendations. 

8.50  Logical  organization  of  material,  and  accuracy  and  precision  in  stating  facts  and  in  drawing 
conclusions,  are  essential  to  clarity  and  understanding.  Effective  use  of  titles  and  captions  and  topic 
sentences  makes  the  report  easier  to  read  and  understand.  Visual  aids  (such  as  pictures,  charts, 
graphs,  and  maps)  should  be  used  when  appropriate  to  clarify  and  summarize  complex  material. 
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Concise 


8.51  Being  concise  requires  that  the  report  be  no  longer  than  necessary  to  eonvey  and  support  the 
message.  Extraneous  detail  detraets  from  a  report,  may  even  eonceal  the  real  message,  and  may 
eonfuse  or  distraet  the  users.  Also,  needless  repetition  should  be  avoided.  Although  room  exists 
for  eonsiderable  judgment  in  determining  the  content  of  reports,  those  that  are  faet-based,  but  still 
eoncise,  are  likely  to  aehieve  greater  results. 


REPORT  ISSUANCE  AND  niSTRlRUTION 

8.52  The  fourth  reporting  standard  for  performance  audits  is: 

Audit  organizations  should  submit  audit  reports  to  the  appropriate  ofUcials  of  the  audited 
program  and  to  the  appropriate  officials  of  the  organizations  requiring  or  arranging  for  the 
audits,  including  external  funding  organizations,  unless  legal  restrictions  prevent  it.  Copies  of 
the  reports  should  also  be  sent  to  other  officials  who  have  legal  oversight  authority  or  who  may 
be  responsible  for  acting  on  audit  findings  and  recommendations  and  to  others  authorized  to 
receive  such  reports.  Unless  the  report  is  restricted  by  law  or  regulation,  copies  should  be 
made  available  for  public  inspection. 

8.53  Audit  reports  should  be  distributed  in  a  timely  manner  to  officials  interested  in  the  results. 

Such  officials  include  those  designated  by  law  or  regulation  to  receive  such  reports,  those 
responsible  for  acting  on  the  findings  and  recommendations,  those  of  other  levels  of  government 
who  have  provided  assistance  to  the  audited  entity,  and  legislators.  However,  if  the  subject  of  the 
audit  involves  material  that  is  classified  for  security  purposes  or  is  not  releasable  to  particular  parties 
or  the  public  for  other  valid  reasons,  auditors  should  limit  the  report  distribution. 
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8.54  When  nongovernment  audit  organizations  are  engaged,  the  engaging  government  organization 
should  ensure  that  the  report  is  distributed  appropriately.  If  the  nongovernment  audit  organization  is 
to  make  the  distribution,  the  engagement  agreement  should  indicate  which  officials  or  organizations 
should  receive  the  report. 

8.55  Internal  auditors  should  follow  their  entity's  own  arrangements  and  statutory  requirements  for 
distribution.  Usually,  they  report  to  their  entity's  top  managers,  who  are  responsible  for  distribution 
of  the  report.  Further  distribution  of  reports  outside  the  organization  should  be  made  in  accordance 
with  applicable  law,  rule,  regulation,  or  policy. 
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